eMJA     The Medical Journal of Australia

Home | Issues | eMJA shop | Classifieds | Contact | More... | Topics | Search | Login | Buy full access   

Abstract

Australians place more trust in doctors and hospitals to keep and use information in a responsible way than they do in other organisations.⁴ However, many Australians believe there is less privacy now than there was and that computers make it easier for confidential information to fall into the wrong hands.⁴ The collection and use of health information has also been identified as a cause for public concern in other countries.^5,6 Commentators within the profession have warned that electronic patient records may reduce the protection of patient privacy⁷ and there is consumer concern about the potential for direct marketing of pharmaceuticals.⁸

The current legal provisions for protecting confidentiality in South Australia are summarised in Box 1. However, it is not known whether these privacy safeguards are adequate. There is little evidence to support the contention that patient confidentiality is being undermined. In the United States, there has been limited quantitative assessment of the effectiveness of the methods currently used to protect confidential patient information,¹¹ the frequency with which unauthorised releases of information occur,¹² or the consequences for patients of these events.

Using data from a population survey in South Australia, I investigated the level of confidence in health services, the prevalence of unauthorised information release by health services and the likelihood of harm resulting from these events.

Participants

Interviewers started from a random point within each of 340 metropolitan and 100 country Collectors Districts (used by the Australian Bureau of Statistics in the 1996 Census) and chose every fourth dwelling until 10 were selected from each district. Of the 4400 dwellings selected, 133 were vacant. Interviews were conducted with one household member aged over 15 years (the one with the most recent birthday) in 3013 of the remaining 4267 households, giving a response rate of 70.6%.

The interview questions are shown in Box 2.

Statistical analysis

For population projections, I used 1999 figures from the Australian Bureau of Statistics (South Australian population by age and sex).¹⁴

Ethical approval

Confidence in healthcare providers as data custodians

Prevalence and sources of unauthorised information release

The 108 participants identified 123 instances of information release without authorisation. The services reported to have released the information were general practitioners (47), public hospitals (31), private specialists (23), private hospitals (9), mental health services (4) and other health organisations (9).

Lawful and unlawful disclosures

• 48 participants (1.6% of the total sample) reported information releases which would be legally defensible. Of these, 24 participants described information being passed from one treating practitioner to another. While these disclosures are accepted practice, they had not been authorised by the patients. For the other 24 participants, information release had been permitted or mandated by legislation or authorised by the patient. For example, some patients had been required to consent to release information in order to become entitled to benefits such as workers compensation or social security.

• 32 participants (1.1% of the total sample) described disclosures which would be legally indefensible. Among these were two who had received personally addressed advertisements for respiratory medications and who believed that their addresses and diagnoses had been released to a pharmaceutical company. Others had experienced disclosures by a practitioner of pregnancy, contraceptive use or a diagnosis to family members.

• 28 participants (0.9% of the total sample) gave responses which did not allow analysis of the lawfulness of the disclosures.

Harm resulting from disclosures

Fifty-seven participants (1.9% of the total sample) reported that unauthorised disclosures had caused trouble or problems for them. For 12 of these (0.40% of the total sample), this had occurred in the previous year.

Participants reported distress, embarrassment, arguments between family members and loss of trust in medical services as a result of unauthorised release of information. There were also more tangible losses, such as loss of employment, compensation and insurance entitlements or child custody.

Projections to the South Australian population

Projecting the proportion of participants who reported harm from information release to the South Australian population would indicate that between 2022 and 7530 such events (4776 ± 2 x standard error of the proportion) had occurred in South Australia in the 12 months before the interviews were conducted.

Healthcare complaints reported in South Australia

Events causing harm could be expected to lead to formal complaints or legal action. However, although there were an estimated 2000 or more South Australians who experienced harm after unauthorised information release in 1999, fewer than 20 formal complaints were made to the largest complaint-handling agencies. It follows that only a minority of patients harmed by unauthorised information release actually initiate a formal complaint.

Release of information without authorisation by the patient is not a perfect proxy for breach of confidence. Some disclosures do not require the patient's consent. They may be mandated by law and protect the interests of individuals other than the patient (eg, reporting of child abuse). Transfers of information between treating practitioners have not been the subject of legal sanctions and are accepted as routine practice.

However, patients may still experience adverse consequences or become mistrustful as a result of these disclosures. For this reason, all unauthorised releases of patient information resulting in harm may be viewed as adverse events, while recognising that some would not be found to be breaches of confidence if tested in a court.

The fact that general practitioners and public hospitals were most often identified as the source of unauthorised releases of information need not indicate less stringent data-handling practices in these settings, but reflects the volume of services being provided. In South Australia, in the 12 months before the survey, there were 7 329 500 Medicare rebates for general practitioner services, 337 144 separations reported by public hospitals and 154 613 separations reported by private hospitals.

The cumulative experience of perceptible health information "leaks" is nearly 4% in the adult population in South Australia. By comparison, data from the United States indicate that nearly 20% of adults become aware that health services have disclosed their information "improperly", and nearly 40% do not trust doctors and hospitals to keep information private and confidential.¹² While these figures suggest that the South Australian healthcare system compares favourably with that in the United States, healthcare practices vary greatly between countries, as do social expectations of health services. Thus, caution must be exercised in making international comparisons of confidentiality in health services.

The South Australian data do not include instances of information release without the patient's being aware of it; nor do they show whether the use of electronic medical records is undermining patient privacy. They do suggest that few harmful disclosures of health information result in formal complaints by patients.

The findings provide baseline performance measures for benchmarking trends in patient confidence in health services and in the prevalence of unauthorised disclosures by healthcare providers. It would be important for future research to distinguish between lawful and unlawful disclosures. Apart from the harm to individuals resulting from information disclosures, there is a public interest in ensuring that the general population has confidence in the integrity of health services.

1. R v Dept of Health, ex parte Source Informatics [1999] 4 All ER 185, Latham J at 196.17(269): 1404.
2. Cheng T, Savageau JA, Sattler AL, De Witt TG. Confidentiality in health care: a survey of knowledge, perceptions, and attitudes among high school students. JAMA 1993; 269: 1404-1407.
3. Banks HD, Williams AE, Nass CC, Gimble J. Changes in intention to donate blood under a hypothetical condition of reduced confidentiality. Transfusion 1993; 33: 671-674.
4. Privacy Commissioner. Community attitudes to privacy. Information paper no 3. Sydney: Human Rights and Equal Opportunity Commission,1995.
5. Bennett C. How do public attitudes on privacy vary among nations: comparative analysis of national privacy surveys prepared for the Global Business Privacy Project of the Center for Social and Legal Research. <http://www.privacyexchange.org> (accessed February 2001).
6. Carman D, Britten N. Confidentiality of medical records: the patient's perspective. Br J Gen Pract 1995; 45: 485-488.
7. Regan BG. Computerised information exchange in health care. Med J Aust 1991; 154: 140-144.
8. Carter M. Integrated electronic health records and patient privacy: possible benefits but real dangers. Med J Aust 2000; 172: 28-30. <eMJA full text>
9. Bray and Smith v Workers Rehabilitation (1994) 62 SASR 218, 30 Mar 1994.
10. Organisation for Economic Cooperation and Development. Guidelines governing the protection of privacy and the transborder flows of personal data 1980. Geneva: OECD, 1980.
11. Saffran C, Rind D, Citroen M, et al. Protection of confidentiality in the computer-based patient record. Clin Comput 1995; 12: 187-192.
12. Princeton Survey Research Associates. Medical privacy and confidentiality survey. Sacramento: California Healthcare Foundation, 1999.
13. Statistical Package for the Social Sciences (SPSS). Version10. Chicago: SPSS Incorporated, 2000.
14. Australian Bureau of Statistics. Population by age and sex, South Australia, as at 30th June, 1999. Canberra: ABS, 2000.

Authors' details

Reprints: Dr E C Mulligan, School of Law, Flinders University of South Australia, GPO Box 2100, Adelaide, SA 5001.
Correspondence: Dr E C Mulligan, School of Law, Flinders University of South Australia, GPO Box 2100, Adelaide, SA 5001.
ea.mulliganATflinders.edu.au

©MJA 2001
Make a comment