Privacy and information

 

The management of sensitive information is an ever-present issue in our clients’ business. Privacy law in health is complex and it is only becoming more so with electronic information sharing and shared repositories. The stakes are high. Our lawyers are experts in health privacy law. Advising clients on privacy matters is core business for Claro and that means everything from developing information sharing structures through to responding to Ombudsman complaints and representing clients in legal action for alleged breach of privacy obligations.

When it comes to health information privacy:

  • do patients know what information is collected, why and who will receive it?
  • much rests on the ‘purpose for collection’
  • with information management systems, the devil is in the detail.

Examples of work done by Claro lawyers:

High Court claim for breach of privacy and confidentiality following the unlawful access by an employed health professional to the patient records of a personal acquaintance. We represented the DHB. The claim raised issues of vicarious liability of a DHB where an employee acts outside clear instructions of the employer and in breach of employer’s policies. Following negotiation the complainant did not pursue the claim.

Disclosure of information protected by a quality assurance activity without justification. Many private hospitals and specialist groups have a Protected Quality Assurance Activity Notice (PQAA). We have advised providers in situations where there has been inadvertent disclosure of protected information outside of the PQAA. We have also advised providers where there has been an incorrect understanding that the PQAA provisions apply. It is recommended that providers have clear policies and procedures for managing PQAA information to minimise the risk of breaching the confidentiality provisions that apply to PQAA information. Providers who hold PQAAs should also be aware that reports provided to the Ministry of Health are amenable to disclosure under the Official Information Act.

A patient’s disclosure to a mental health nurse that he had killed his partner. The patient was in police custody at the time of disclosure. The statement was recorded in the nurse’s notes; police requested disclosure of the notes. Our lawyers provided urgent advice to the DHB which covered balancing of competing interests; patient confidentiality/damage to therapeutic relationship versus public interest in the Police investigating a possible homicide. We also advised clinicians on legal issues, process to follow, risks associated with both disclosing and withholding, and implications if the Police obtained a search warrant.

Human Rights Review Tribunal (HRRT) claim against a DHB for interference with privacy. We acted for the DHB, which had refused to provide the patient with a written report on his mental health, the report being withheld under the Privacy Act on several grounds, including that it was likely to endanger the safety of any individual. The legal issues were complicated by the fact the report had been read aloud to the patient, but a psychiatrist believed that disclosure of the written report to the patient might result in fixation by the patient and harm to others. The DHB’s decision to withhold had been upheld by the Privacy Commissioner. The claim to the HRRT was subsequently withdrawn.

Defamation claim. A health professional made a disparaging and subjective comment in a patient’s notes about the patient’s support person. Requests were made to remove the note, and for the reasons for its inclusion to be investigated. An allegation of defamation was made. The matter involved consideration of “qualified privilege” in terms of the Defamation Act 1992 and the extent to which a confidential patient record can be considered a publication.

Advice to health regulatory authorities on the development of information policies. Regulatory Authorities are not subject to the Official Information Act, but are statutory decision-makers. The collection and disclosure of information about individual practitioners can be managed under the principles of the Privacy Act, or the relevant provisions of the HPCA Act. However, broader requests for copies of minutes or other information that do not relate to individuals – but which may be relevant to stakeholders – need to be managed consistently by way of policy. We have advised on and drafted policies to assist authorities in dealing with requests for information.

Review of and advice on proposed information sharing frameworks, including the sharing of information across multiple agencies, and the obligations on all agencies with respect to that information.

Unauthorised access of patient records – professional discipline. We acted for a health professional facing a charge of professional misconduct for accessing the records of family and friends without authorisation.

 

Training we offer

We run training programmes for health providers, public sector organisations and statutory entities on the Privacy Act and Official Information Act, and on the management of health information in accordance with the Health Act and Health Information Privacy Code. For further information, or if you wish to discuss your organisation’s training needs, contact Jonathan Coates.