e-health-Learning

  eMJA     The Medical Journal of Australia

Home | Issues | eMJA shop | My account | Classifieds | Contact | More... | Topics | Search   

Consumers & Healthcare

Should patients have access to their medical records?

Paradoxically, access to one's own medical records is the best safeguard to privacy

Meredith Carter

MJA 1998; 169: 596-597
 

Introduction - An outdated model? - Impact of information technology - Benefits of subject access - The dilemma of disclosure - Should access to records always be given? - Conclusions - References - Authors' details
Make a comment - Register to be notified of new articles by e-mail - Current contents list - More articles on Law

Introduction With the advent of the electronic era, I believe a major deficiency of common law is its failure to provide the person who is the subject of a medical record with a right of access to that record. While legislation gives Australians an enforceable right of access to public sector health records, this is not generally the case for records created by private practitioners or agencies, as highlighted by the 1996 High Court decision in Breen v Williams.1 In this test case, a consumer was denied access to records held by her plastic surgeon, sought for the purpose of legal action against the manufacturer of silicone breast implants. The difference in right to access between the public and private sectors is surprising given the extensive interrelationships between public and private healthcare in this country, and the worldwide efforts to ensure that people have access to files -- including medical records -- kept about them. Australia is now lagging behind most of the developed world in this regard (see Box). Why is addressing this issue so important?

  Patient access to medical records

  Australia

  • Only the Australian Capital Territory has legislated to provide individuals with a generic right of access to private sector clinical records.2
  • New South Wales gives some access under 1996 regulations governing private hospitals, day-procedure centres and nursing homes.3-5
  Other developed countries6
  • The European Union Data Directive (applicable October 1998) requires all 12 member countries to enact legislation enabling subject access to medical records, if not already enacted.
  • The United Kingdom, a member of the European Union, passed the Access to Health Records Act in 1990.
  • The New Zealand Health Information Privacy Code, which came into force in 1993, creates an enforceable right of access.
  • Canadian courts have recognised a common law right of access.
  • Most states in the United States have enacted legislation to ensure subject access to health records, whether created in the public or private sector.
An outdated model? Traditionally, consumer interests in health records have been protected through the doctor-patient duty of confidentiality, whereby third-party access to records relied on the doctor's discretion and ability to control flow of the information in the patient's best interests. Now, concerns are increasing that the duty of confidentiality is inadequate for protecting consumer interests. Doctors today interact with a host of other health practitioners, diagnostic services and hospitals, all of whom contribute to the record. An army of support staff also has access. Even the solo private practitioner is no longer an island, but both employs administrative staff and shares relevant patient information with other treating clinicians. Further, many of those who have access to records (eg, receptionists, clerks, administrators and laboratory technicians) have no ethical or other duty to protect consumer confidentiality unless this is built into their contracts. The wider dissemination of data made possible by developments in information technology adds to concerns.

Impact of information technology Integration and use of a consumer's personal health information is facilitated by information technology applications such as smart cards, electronic networks between healthcare providers, computerised databases and unique consumer identification systems. Many of these applications involve linking personal information between different health practitioners and providers, and across the public and private sectors. For example, a typical data linkage project might share relevant information between the consumer's general practitioner, pharmacist, hospital, diagnostic and specialist services and perhaps a home nursing service.

This enhanced electronic capacity to collate, share, match and manipulate information generates risks as well as benefits. Policies and procedures are needed to ensure that no more than the relevant information is actually disclosed to other treating practitioners, particularly when information is likely to be especially sensitive (eg, psychiatric history and reproductive and sexual matters). Indeed, the Broadband Expert Services Review, commissioned by the Federal Government to consider potential uses of information technology, concluded that current attitudes to consumer access to personal health records were a significant barrier to acceptance of information technology in the healthcare sector.7

This is because of the large array of secondary uses of clinical records over which consumers have little control and which often involve identifiable information. For example, health departments are keen to access health records to determine exactly where health funds are spent and how to target them more effectively. Clinicians want access for peer review and quality assurance, while researchers and public health practitioners can also cite legitimate reasons for access.

Outside the healthcare sector, personal health records can influence many aspects of life, such as obtaining employment, life insurance or consumer credit. All too often, consumers are forced to gamble that consenting to disclosure of clinical records to third parties will not damage their interests. Unauthorised access to personal health information by third parties can be very damaging; the Australian Law Reform Commission noted, for example, that commercial clinics doing paternity tests would have a "goldmine" of information about their clients which could cause considerable harm if misused.8 This damage may be even greater if the records were incorrect or misleading.

Thus, the clinical record of the future, whether or not correct, will probably be increasingly used to inform highly detailed dossiers about consumers which could affect them significantly. I believe consumer access is crucial in minimising any negative effects.

Benefits of subject access As health records become more comprehensive and more widely shared, it becomes correspondingly more important that consumers are comfortable with what goes in the record in the first place, that it is accurate, that they are aware of what information is being distributed and whom it goes to. As absolute security of information in an electronic environment is a myth, the best security consists in ensuring the individual record is accurate. Indeed, without a right of access, some suggest data protection laws are of little use.9 Personal access and a right of challenge and correction are a basic way to promote accuracy.10

Subject access is intrinsic to the concept of individual participation underpinning the Information Privacy Principles in the Privacy Act 1988 (Cwlth). According to Justice Michael Kirby of the High Court, participation is the most notable and important privacy protection safeguard.11 As he has also noted:

If you can have access to information about yourself, check it, remove it in some cases and correct it when it is wrong, you have a most powerful weapon to protect your privacy . . . It is privacy used as a sword . . . To protect and assert [one's] own personal interests from the inquisitiveness of government and others alike.8

Organisations such as the Health Issues Centre and the Consumer Health Forum hope that increased access to health records will lead people to participate more in their healthcare decisions. Consumers will have a clearer idea about their condition and treatment and the roles of the various people involved in their care. The evidence available indicates that increased access does have this effect and is likely to have a positive rather than negative impact on doctor-patient relationships.6,12-15

The dilemma of disclosure Access to records is also inextricably linked with effective notice of third party use and informed consent to disclosure. Effective notification and truly informed consent require that individuals know and understand the contents of the record.16

Clinicians often hold "confidential" information provided by people other than the subject of the record. Providing a report rather than subject access to the record itself is not a solution to this problem. Information provided by third parties has obvious dangers -- it may be inaccurate and seriously prejudice the consumer's treatment. Most privacy guidelines require confirmation of the accuracy of information on the record before it is acted on,17 and this is particularly important for secondhand information. As subject access becomes more common, health practitioners will need to be circumspect about information from third parties and more open with consumers about what they have been told.

Should access to records always be given? The starting point should be a presumption in favour of disclosure to the individual concerned, but this is not to argue that access to records should always be given, especially when it is likely to cause serious harm, either to the consumer or to a third party. However, withholding the record should be considered unusual and subject to review to ensure the practitioner's concerns are substantiated (eg, by an alternative clinician nominated by the consumer). As Bloch and colleagues have noted, studies focusing on patients' reactions to their records have shown therapeutic benefits, even when they did not like what they learned.12 While some patients may need support when accessing clinical files, these findings apply generally, even in psychiatric cases.12 It also seems likely that, as consumer access becomes the norm, a more participatory approach to creation of the record will result. So, access is not just about privacy, but also about facilitating communication, informed consent to treatment and quality of healthcare.

Conclusions Traditional approaches to protecting personal health information focus on the doctor's discretion and security of the record. Today, in an electronic environment with a team approach to health care, this approach is inadequate and undermines the trust fundamental to the doctor-patient relationship. Consumer access to their records will help reinforce that trust. We must move from a focus on security to a focus on participation.

References
  1. Breen v Williams (1996) 186 CLR 71.
  2. Health Records (Privacy and Access) Act 1997 (ACT).
  3. Private Hospitals Regulation 1996 (NSW).
  4. Day Procedures Centres Regulation 1996 (NSW).
  5. Nursing Homes Regulation 1996 (NSW).
  6. Cornwall A. Consumer access to health records. Health Law Bull 1996; 5: 81-90.
  7. Anthony D, Mandeville T, Hearn G, Holman L. Demand for Broadband services in the health sector. Brisbane: Communication Centre, Queensland Institute of Technology, 1994: 46-47.
  8. Australian Law Reform Commission. Freedom of information discussion paper 59. 1995: para 11.21, footnote 58.
  9. Gellman R. Approaches to privacy protection in the United States: genetic privacy. Proceedings of the 14th International Data Protection and Privacy Commissioners Conference. 1992: 69, 74.
  10. Crowe B. Telemedicine in Australia. Australian Institute of Health and Welfare Discussion Paper. Canberra: AIHW, 1993: 9.
  11. Kirby M. Reform the law: essays on the renewal of the Australian legal system. Canberra; AGPS, 1983: 201-202.
  12. Bloch S, Riddell C, Sleep T. Can patients safely read their psychiatric records? Med J Aust 1994; 161: 665.
  13. Bergen L. Patient access to medical records: a review of the literature. Aust Med Rec J 1988; 18: 102.
  14. Parrott J, Strathdee G, Brown P, et al. Patient access to psychiatric records: the patient's view. J R Soc Med 1988; 8: 520.
  15. Westbrook J. Patient access to medical information, Part 1: a review of the issues. Aust Med Rec J 1988; 18: 11.
  16. O'Connor K. Confidentiality, privacy and security concerns in the modern health care environment. Aust Computer J 1994; 26: 70.
  17. Privacy Act 1988 (Cwlth). Information Privacy Principle 2.
Authors' details Health Issues Centre, Melbourne, VIC.
Meredith Carter, LLB, BA, Director.

Reprints will not be available from the author.
Correspondence: Ms Meredith Carter, Health Issues Centre, Level 11, 300 Flinders Street, Melbourne, VIC 3000.
E-mail: hicjmcATvicnet.net.au

©MJA 1998
Make a comment

Home | Issues | eMJA shop | My account | Classifieds | More... | Contact | Topics | Search

The Medical Journal of Australia    eMJA  


Readers may print a single copy for personal use. No further reproduction or distribution of the articles should proceed without the permission of the publisher. For permission, contact the Australasian Medical Publishing Company.
Journalists are welcome to write news stories based on what they read here, but should acknowledge their source as "an article published on the Internet by The Medical Journal of Australia <http://www.mja.com.au>".
<URL: http://www.mja.com.au/> © 1998 Medical Journal of Australia.
We appreciate your comments.