Where health information must be disclosed to a third party, your practice must consider what information is relevant for the proposed purpose. Patients will expect that only the necessary parts of their health information will be disclosed.
For example, a referring GP might not be justified in forwarding a complete copy of a patient’s medical record to another practitioner if that information does not relate to the referral.
Prior to disclosing any health information, your practice should carefully examine its authority for disclosure and seek advice where necessary (refer to section on Subpoenas and disclosure required by law).
For further information, refer to the RACGP’s resources on managing the use of your practice data, available at www.racgp.org.au/running-a-practice/security/managing-practice-information/secondary-use-of-general-practice-data.
Case study: Limiting disclosure
Laura has commenced her stroke rehabilitation. Her treatment is being led by her GP, who is coordinating a multidisciplinary healthcare team consisting of a neurologist, rehabilitation team and practice nurse. Laura visits her neurologist on a regular basis. The consultation recommendations are provided to Laura's GP, who then passes them on to the other healthcare professionals.
Laura discloses to her neurologist that she has been having difficulty controlling her emotions, including experiencing depression. Her GP is advised and discusses Laura’s depression with her and prescribes medication as appropriate.
When Laura visits her treating physiotherapist, he talks to Laura about her depression. Laura is surprised and embarrassed by this. She did not expect her physiotherapist to receive information disclosed to her neurologist.
It is reasonable to expect that Laura consented to her GP disclosing those aspects of her health relevant to each treating team member. However, Laura’s GP did not consider that she was unlikely to consent to unrelated disclosures, such as in this instance where her physiotherapist has been made aware of her depression. This might be an unauthorised disclosure under the Privacy Act, irrespective of whether the physiotherapist acquired the information from her medical record or whether it was disclosed by another team member.
In assessing what aspects of Laura’s medical record should be disclosed, Laura’s GP should have:
- managed the information provided to each team member and maintained strict confidentiality in discussing Laura’s condition
- managed what information was collected in her general file and what was stored separately
- discussed with Laura how (and with whom) her information would be shared.