Orders have been made in these matters that the name of the applicant not be disclosed to preserve the privacy of his health information. The Applicant is referred to as DMP.
DMP applied to the respondent, Sydney Local Health District (SLHD), pursuant to s 53(1) of the Privacy and Personal Information Protection Act 1998 (PPIP Act) seeking internal review of conduct of SLHD which he alleges had breached certain Health Privacy Principles (HPPs) set out in Schedule 1 of the Health Records and Information Privacy Act 2002 (HRIP Act). These applications concern three matters which, briefly, relate to:
1. The accessibility of DMP's health information to persons who participate in training sessions conducted by SLHD on how to use the "eMR" - the electronic medical record database used by SLHD to hold and manage patient health information - and the use of that information in training up to 10 January 2018;
2. Not being an offered an opportunity to not identify himself when he presented to emergency at a SLHD hospital on 6 June 2018 under a false name and, following discussion with hospital staff, being coerced into handing over his Medicare card; and
3. From 11 January 2018 to 15 March 2018 the retention and continued accessibility and use of DMP's health information, including his prior attendance at a methadone clinic, in the non-production database version of the eMR called "eCERT" which is used for training. DMP also complained about the failure of SLHD to restrict access to his health information and about the continued use of that information after he withdrew consent. He also makes various other complaints.
DMP filed three applications with the Tribunal seeking review of the alleged conduct.
A significant volume of material has been filed by both parties in relation to these applications. It has not been possible in these reasons to refer to every document filed, nor is it necessary to do so.
Unfortunately, much of DMP's submissions is difficult to understand, is circuitous, puts forward conjecture as evidence and contains hyperbole. His complaints also appear to have expanded over time and through his many submissions. The scope of the matters before the Tribunal is determined by the scope of his internal review applications in these matters (KO v Commissioner of Police (NSW) [2005] NSWADTAP 56 at [13]; Department of Education v ZR (No 2) [2009] NSWADTAP 44 at [16]).
[2]
Applications 1 and 3 - 2018/00199878 & 2019/00017318 - use and retention of health information in eCERT
Before detailing DMP's complaints it is useful to set out information in relation to the eMR and eCERT.
Alexandra Wagstaff, Acting Chief Information Officer, SLHD, states that the eMR refers to the "electronic medical record" which is an electronic version of what would have been a patient's paper medical record. The eMR domain used by SLHD is shared with South Western Sydney Local Health District (SWSLHD) and includes clinical information in relation to inpatients, outpatients and patients in community-based care. Ms Wagstaff states that patient information includes matters such as medication information, medical history, external referrals, pathology orders and results. Patient information is collected through a variety of manual (for example, updating by a clinician) and automated (such as uploading a patient's vital signs from a vitals machine) processes. Ms Wagstaff states that the eMR contains records of over 5 million patients.
Ms Wagstaff states that, from time to time, copies of the production environment of the eMR are made. A copy is a point in time snapshot of the eMR and is known as a "non-production environment". Ms Wagstaff states that the purposes of creating a non-production environment are 1) to enable development and testing of new aspects of the code underpinning the system, and 2) to train end users on the use of the eMR. All students and others are not trained using the eMR itself, but, rather, in the non-production environment so that the real eMR is not compromised in any way by the creation or modification of data during training. Up until November 2018 the non-production environment was known as eCERT and has been known as SCert since that time. Generally speaking, a copy is retained and used for a certain period before being replaced by a ore recent copy.
Ms Wagstaff also refers to a further non-production environment known as SMOCK which is a copy of the eMR taken on 17 February 2018. SMOCK is not generally used for training but is used for development and testing, although has been used for select eMR clinician training where other non-production environments were not suitable.
[3]
Background
The uncontroverted background to DMP's applications is that, as a third year medical student about to commence work at a hospital in SLHD, in January 2013 he undertook training in how to use the eMR. DMP states that the purpose of the training was to learn how to search for and access health records, with a view that students would know how to navigate the system during clinical rotations.
Prior to undertaking the training DMP signed the "eMR User Access Request form and data security declaration" in which he acknowledged that he had read and understood the following responsibilities and obligations:
You are aware of your responsibilities under the Health Records Information Privacy Act 2002 and the Privacy and Personal Information Protection Act 1998, as outlined in NSW Health, SLHD. SWSLHD and (where appropriate) SSWAHS policy documents. As such, you understand that you are not to access your own records unless in the presence of your medical practitioner. You are not to access work colleagues, friends or family members records.
On the day he attended the training, DMP completed a checklist which included the statement "I agree that I have attended formal training and I have been instructed in the above and I understand my responsibilities under Privacy and Security Legislation".
DMP states that during the training session he accessed his own records. He states that he also suspects that someone else accessed his records during a training session (not necessarily the session he took part in). He also states that he looked up the records of other people he knew and someone else in the training session implied they did likewise.
DMP first made contact with SLHD about any concerns in November 2016. On 3 November 2017 DMP wrote to SLHD in the following terms:
I kindly ask that you cease all use of my health records for any secondary purposes. This includes use of my records for eMR training sessions, as well the inclusion of my records in a larger training dataset where its presence could result in it being accessed during training sessions.
There then followed a good deal of correspondence between DMP and SLHD about his concerns and an investigation was undertaken. On 28 February 2018 DMP was provided with a report on the investigation in which it was proposed that his name on eCERT be changed to an alias and that an electronic alert be placed on eCERT indicating that access to the record was restricted. DMP responded on 7 March 2018 stating that he did not agree with the proposed restriction on his records and indicated he wished his records to be deleted from eCERT.
SLHD advises that on 23 May 2018, following further correspondence with DMP, information about him on eCERT was de-identified in that his last name was changed to "UNKNOWN" and his first name was changed to "Male" wherever they appeared. DMP's patient record on eCERT was also deactivated in that it was made unsearchable by end-users.
[4]
The complaints
DMP has made a number of complaints of breaches of his privacy arising out of the inclusion of his health record in eCERT. These in relation to matter 2018/199878 are:
1. that his health information has been unlawfully used by SLHD for eMR training in breach of HPP 10 as it does not have a training exemption to do so;
2. that there was no implied consent that his health information relating to his attendance at a methadone clinic on 14 October 2008 could be used for eMR training;
3. even in the absence of an authorised access to his information, his health information was exposed to an unreasonably high risk of unauthorised access through eCERT;
4. when access logs prior to 21 November 2014 were deleted, SLHD destroyed evidence;
5. even after being made aware of his express refusal to consent to secondary uses of his information, SLHD continued to retain his health information and used it for eMR training.
In relation to complaints (a), (b) and (c) DMP originally stated that the scope of his application was for the period 1 January 2011 to 10 January 2018. In relation to (e) he referred to the time period between 1 December 2017 and 10 January 2018. Before the Tribunal DMP seeks to expand the scope in (a) and (c) to go back to his first admission to hospital on 9 May 2003; for (b) he seeks to go back to 14 October 2008, the date of his attendance at the methadone clinic.
DMP raises further matters in matter 2019/00017318 (application 3). In this application DMP alleged similar privacy breaches to those in the first matter plus he raised some additional issues. These relate to:
1. any eMR training sessions between 10 January 2018 and 15 March 2018 involving the use of the non-production environment eCERT and where his identifiable health information had been present within eCERT;
2. the presence of his identifiable health information within a non-production environment other than eCERT for any purpose between 10 January 2018 and 15 March 2018;
3. any eMR training sessions between 11 January 2018 and 15 March 2018 involving the use of the non-production environment eCERT and where identifiable health information relating to his prior attendance at a methadone clinic was present;
4. failure of SLHD between 1 January 2018 and 15 March 2018 to restrict access (within both the eMR and non-production environments) to health information relating to his attendance at a methadone clinic;
5. exposure of his health information to an unreasonably high risk of unauthorised access through the use of any non-production environment, including but not limited to eCERT even in the absence of any unauthorised access of his information from 11 January 2018 to 15 March 2018;
6. unlawful retention and use of his health information within eCERT and any other non-production environment for any secondary purposes following enforcement of his "express refusal notice" between 11 January 2018 and 15 March 2018;
7. the conduct of SLHD between 12 December 2017 and 15 March 2018 in not informing him whether use of his information was continuing in breach of HPP 6;
8. unlawful disclosure by SLHD of his health information to the NSW Information and Privacy Commissioner sometime between 7 March 2018 and 13 March 2018;
9. someone in SLHD unlawfully used his health information for the purposes of unlawfully de-identifying it on 23 May 2018;
10. failure to safeguard his health information by exposing it to the Chief Executive as well as the Clinical Governance Unit;
11. failure of SLHD to update his health information to reflect his Advance Care Directive and his requirement that 100 points of identification be collected prior to treatment of anyone claiming to be him;
12. the unlicensed retention, use and/or disclosure of the health information of Mr A, Mr B and Mr C (and possibly Mr D who DMP refers to in submissions) without consent to do so.
[5]
Training sessions using eCERT
DMP has provided little direct evidence of what occurred during the training session in January 2013. He does state that midway through the training session the trainer said words to the effect "don't go looking up anyone famous". He also acknowledged that he had signed the data security declaration and said at the hearing that he knew what he had done was wrong.
Ms Wagstaff states that training is conducted in accordance with training checklists and facilitator guides. She states that during the training session, trainers direct students to look up and perform various tasks on mock patient records or de-identified patient records. Ms Wagstaff states that trainers do not conduct training using real patient records that have not been de-identified beforehand. She states that in advance of training sessions, mock patient data is usually added and particular patient records are de-identified. This process occurs regularly because, during training, students enter and amend the information that appears in the mock and de-identified records and it is necessary to use fresh records.
Ms Eva Fares, Health Information Manager, SLHD, states that de-identified patient data is real patient data that has had all the patients identifying details removed or changed prior to the training session.
DMP raises issues in his submissions about the meaning of "de-identified", particularly in relation to radiology and pathology reports, but has not provided any information which indicates that he was required to access identifiable real patient records during the training in January 2013.
[6]
Use of information in eCERT
HPP 10(1) provides that an organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected, although certain exceptions are provided for including, relevantly, "consent", "direct relation" and "training".
DMP alleges that his personal health information was used during the training session in which he participated and has been used in many other training sessions conducted by SLHD. He agreed at the hearing that it was not necessary for the purposes of the training he received in January 2013 for him to look up his own record or the records of people known to him during the training.
SLHD submits that there has been no use of DMP's information in conducting training on a database that held his health information. SLHD relies on the information contained in the affidavit of Ms Wagstaff outlined above that, while real patient records are present in the database, only mock records or de-identified patient records are actually used for training medical students and others in how to use the eMR.
Clearly mock records, that is records pertaining to persons who do not exist, would not contain "personal information or "health information" as those terms are defined in ss 5 and 6 of the HRIP Act. SLHD submits that the de-identified records used during the training also do not contain personal information or health information because the identity of the individual concerned is not apparent, and could not reasonably be ascertained, from the information or opinions contained in the record.
DMP refers to emails to him which state that some records "can't be de-identified, such as pathology and radiology" to argue that records within eCERT could not be de-identified for the purpose of training. These emails, however, related to the merger of records relating to DMP under his own name and a different name he had used when receiving treatment. SLHD states that the relevant scans could not be de-identified and the names needed to remain on them as there was a need to match the scans in different names for the purposes of treatment.
No evidence was provided that "de-identified" records used in training actually contained identifiable radiology or pathology records or information which would lead to the identity of the patient being apparent. Ms Wagstaff stated at the hearing that legal advice would be sought in relation to the de-identification of records. In the absence of any other evidence, I accept that de-identified records contained in eCERT and used in training do not contain personal information or health information as defined.
There is no question, however, that eCERT holds real patient data and, certainly at the time DMP participated in the training, contained his health record. These records are certainly records containing personal information and health information. At issue is whether these records were used in the training.
"Use" in the context of HPP 10 is "to avail oneself of; apply to one's own purposes" (FM v Vice Chancellor, Macquarie University [2003] NSWADT 78 at [42]). In JD v Department of Health [2005] NSWADTAP 44 the Appeal Panel stated that "use" normally bears the connotation of employing information for a purpose. Mere access or retrieval would normally not be enough to come within the meaning of "use" (at [42]). Similarly, in GL v Department of Education and Training [2003] NSWADT 166 at [42] the Tribunal stated that "use" means to "to employ for some purpose, put into service; turn to account".
DMP has not identified any use of his health information during the training in line with the meaning of "use" as set out above. The mere presence of his information within the database and the fact that it was accessible does not, in my view, amount to use. In light of this conclusion it is not necessary to go on to examine whether any of the exemptions to the prohibition in HPP 10(1) apply.
My conclusion that DMP's health information was not used in the eMR training session he attended extends to his allegations that his information was used in other training sessions before or after the date of that training. I also note that DMP's information was de-identified in May 2018 and is no longer accessible in the non-production environment.
[7]
Lack of reasonable safeguards to protect information
DMP submits that SLHD did not employ reasonable safeguards to protect his health information within eCERT. He alleges the following conduct amounts to a breach of HPP 5:
the use of throwaway login credentials by students during eMR training e.g. User101;
failure to implement user access controls so that records of real patients, including his, were accessible to those being trained;
failure to log user access; and
failure to audit access logs.
DMP also argues that even if his health information has not been used in eMR training, SLHD has retained his information unlawfully in breach of HPP 5 as information must not be kept any longer than is required for lawful use. This is particularly the case as eCERT is a duplicate of the eMR.
SLHD submits that it has put in place security safeguards that were reasonable in the circumstances in relation to personal and health information held in the non-production environment.
HPP 5 provides that an organisation that holds health information must ensure that:
1. the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
2. …
3. the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse.
Other than DMP's evidence that he accessed his records during eMR training, there is no direct reliable evidence that either his own records or the records of other people have been accessed by persons without authority. DMP in his evidence refers to his belief that someone he knew looked up his records during a training session and also to an alleged incident where a fellow student asked others who had looked up their (or other's) records during training.
It does seem that up until relatively recently medical student trainees were provided with generic login credentials for use during training sessions and these credentials were not attached to an individual student's identity.
In her affidavit Ms Wagstaff confirms that trainees are provided with a generic login and password for use during the training session. She states that students are only provided with an individual eMR login once they have completed their training and commence work. She states that the generic login for eCERT provides students with the same level of access they would have to the eMR once they commenced work. Indeed, training is usually conducted shortly before students commence their rotation, even on the same day. Ms Wagstaff states that since June 2018 trainers record the generic login allocated to a trainee next to his or her name on the attendance sheet for a particular training session. She notes that login credentials provided for the eMR cannot be used to access the non-production environment, and vice versa. Dr Angus Ritchie, Chief Medical information Officer, SLHD states that it was recognised that the auditability of training could be improved and so the individual training logins were introduced.
Ms Wagstaff states that since June 2018 trainers also use a preprepared written script to caution trainees about their privacy obligations. It is her belief, however, that prior to the introduction of the preprepared script, trainers consistently and routinely included a section on confidentiality, privacy and security and user obligations during training.
In her affidavit Ms Wagstaff also states that, at the beginning of each training session, students are cautioned not to access the real patient information is stored on eCERT during the training session. As noted above, DMP states that midway through the training session the trainer said words to the effect "don't go looking up anyone famous".
Ms Fares provided evidence that before the commencement of training trainees must sign the data security declaration. As noted above, DMP signed such a declaration and also signed the checklist in relation to the training which also included a statement that he understood his privacy and security obligations.
DMP argues that a copy of the eMR should not be used for training purposes as it exposes the health records of millions of people to unauthorised access. He refers to the fact that a number of other health districts in NSW use dedicated training modules to train staff in the use of electronic records management. Ms Wagstaff states that at the present time there is no environment other than the non-production environment to use for eMR training in SLHD. She states that planning is in hand, however, for the development of a dedicated training domain that contains mock patient information only. However, she goes on to detail various limitations of working with mock patient data only such as an inability to link with other SLHD systems as can be done with the eMR.
Ms Wagstaff further states that access to the non-production environment is restricted. She states that the non-production environment is published only to certain computer terminals located in dedicated training spaces within SLHD as well as to the network accounts of those within the Applications Team whose function includes to build code for the eMR and to test or certify it using the non-production environment. Ms Wagstaff states that in rare cases, the non-production environment may be published to the network accounts of individual clinicians so that new builds can be verified with users who have relevant clinical expertise. She states that some ICT staff may have remote access to the non-production environment using two factor authentication. Similarly, she states that some clinicians may have remote access to the live eMR using two factor authentication.
In relation to the auditing of records, DMP refers to the deletion of access logs prior to 21 November 2014 and the failure to audit access logs. He alleges that the conduct of SLHD in this regard has meant that there were virtually no safeguards in place to prevent access or to monitor whether unauthorised access had occurred.
Ms Fares states that prior to November 2018 and the introduction of quarterly audits, ad hoc audits were conducted in relation to the eMR production and non-production environments. Ms Wagstaff in her affidavit sets out that copies of the eMR are taken periodically because, as they age, their utility diminishes. Ordinarily, when a copy of the eMR is made, the previous copy is shut down. She states that the copy of the non-production environment which was in use when DMP undertook training was shut down in July 2012. As a result, the information about access to that non-production environment that was stored within it was deleted along with its contents.
Ms Wagstaff also refers to the P2 Sentinel audit tool, which is a method to audit access to medical records that survives the shutdown of the relevant non-production environment. She states that the system maintains logs separate to the application so they can be audited for eCERT versions that have been closed down. According to Ms Wagstaff this tool was acquired in about April 2011 and is activated by switching on the connection between it and the database that is to be tracked. Dr Ritchie states that SLHD introduced the P2 Sentinel tool in 2011 in advance of other areas in the state to provide the highest level of security for the system. Ms Wagstaff states that the P2 Sentinel tool has only been continuously activated in relation to the non-production environments since November 2014. Records of access to the non-production environments are therefore available from November 2014. Records prior to this time are available but in an incomplete form because the tool was only switched on periodically in relation to the non-production environments from 2011 to 2014. That is, there will be gaps in the audit during that period.
Ms Wagstaff states that reports generated using the P2 Sentinel audit tool show that DMP's records on eCERT and SCert (as it is now known) have not been accessed since November 2014 and were not accessed in the periods when the tool was activated before November 2014.
DMP argues that additional safeguards should have been in place with respect to the information that he had attended a methadone clinic considering the societal and moral opprobrium attached to opioid drug use and drug addiction. It is not readily apparent why this should be so. All health information can be and is regarded as sensitive personal information.
As noted above, DMP refers to other Health Districts which have dedicated training databases and implies that, as a result, SLHD's use of the non-production environment (eCERT and then SCert) is therefore defective. It must be said that the use of a database containing only mock records for training would ensure that no privacy breaches would occur. The issue here, however, is, given the method employed by SLHD, whether it has put in place such security safeguards as are reasonable in the circumstances, to protect the information.
I have some concerns about the use of generic login credentials which were in use up until June 2018 without any record being kept of which student used which login. Clearly, if that were the only method that was employed, it would be insufficient to protect sensitive health information from unauthorised access. What must be considered, however, is the suite of mechanisms employed to safeguard against unauthorised access taken as a whole rather than each item alone.
HPP 5 requires an organisation to take such security safeguards as are reasonable in the circumstances to protect information. The obligation is not absolute and requires a consideration of the practical difficulties faced by the agency and any shortcomings identified in an agency's safeguards must be weighed against those aspects which are satisfactory (EN v University of Technology, Sydney (No 2) [2009] NSWADT 193; FH v Commissioner, NSW Department of Corrective Services [2003] NSWADT 72 at [41]). As was noted in FH:
The significance of the shortcomings need to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the persons whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur.
Ms Wagstaff in her affidavit sets out some of the reasons why SLHD has used a copy of the eMR for training. These, including the system's ability to link with other systems in use in hospitals, are not insignificant. It is also important to note that the training is not provided to members of the public but, in this case, to medical students who are about to commence clinical rotations, sometimes even on the same day, at which time they are given full clinician access to the eMR and are subject to the same data and privacy restrictions as during training.
Importantly, trainees are required to complete the data security declaration before undertaking the training and are required to acknowledge at the end of the training that they understand the security and privacy requirements. Trainers are also required to advise students of their obligations. If DMP's account is accepted, it does appear that the trainer in his session was somewhat perfunctory in this regard, but that does not mean that they system itself was lacking. The introduction of a standard pre-prepared script, as is now in place, is obviously a step forward. The fact that DMP ignored his obligations with respect to privacy and data security, knowing that it was wrong to do so, also does not indicate a general systemic issue or lack of safeguards.
I am satisfied on the evidence that has been provided that it is possible to audit the non-production environment to obtain records of access. While it does appear that there is a period prior to November 2014 when access records are now incomplete, that position was remedied and a sophisticated auditing tool now runs continuously. I also accept the evidence that audits were undertaken, albeit on an ad hoc basis prior to the introduction of quarterly reports.
As noted above, contrary to DMP's belief that there has been widespread access to his and others information held in the non-production environment, there is simply no evidence, other than his statement that he accessed his own records and believes that someone else did as well, that there has been any such access.
Overall, while there may be aspects of the security safeguards put in place by SLHD which might not meet best practice, I am satisfied that the system of safeguards put in place to protect the information against unauthorised access were reasonable in the circumstances and were not inadequate. It must be said that no system can guard entirely against wilful disregard and desire to circumvent the safeguards in place.
[8]
Presence or use of DMP's health information within eCERT or any other non-production environment
This complaint appears to relate to the presence or use of DMP's health information within the non-production environment for a purpose other than training. As noted above, the non-production environment (formerly eCERT) is also used for development and testing the eMR application.
SLHD submits, and I agree, that there has been no demonstrated "use" within the meaning of that term in HPP 10 of DMP's health information within the non-production environment. DMP has in fact not made any specific allegations that his health information was accessed other than in a training context. There is no evidence that the mere presence of his information in the non-production environment has led to any breach. Ms Wagstaff provides evidence that access is restricted to relevant staff and, if remote access is required, it is done through two factor authentication, which is a standard security tool.
[9]
Failure to update health information
DMP complains that SLHD breached HPP 8 by not updating his health information with information contained in documents referred to as "advance care directive" and "express refusal notice".
DMP states that an individual's expressed wishes about future treatment is considered health information under s 6(a)(ii) of the HRIP Act. He sent an Advance Care Directive to SLHD and asked that it be attached to his records. He states the fact that there has been a failure to update his personal health information is a breach of HPP 8. This complaint also relates to his stated intention notified to SLHD on 20 March 2018 that he does not intend to ever seek treatment using his real identity and therefore, when treating any person claiming or claimed to be him, he expected SLHD to verify the patient with 100 points of identification. He states that his personal health information ought to have been updated with this information.
HPP 8 requires an organisation to update health information at the request of the person in relation to whom the information is held to ensure that it is accurate and, having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.
The exact wording contained in the 4-page 20 March 2018 letter (which dealt with a number of matters) was as follows:
And finally, I also wish to advise you of my intention to never seek treatment from SLHD using my real identity. As a corollary:
When treating any person claiming or claimed to be me I expect you to verify that patient with 100 points of identification and retain documentation that is AML/CTF Act compliant.
SLHD states that it did not understand that the correspondence was a request by DMP under HPP 8 to update his health information. I agree that the letter does not in this respect appear to be a request to update a health record but rather a statement of intention and expectation. In my view SLHD acted reasonably in the circumstances and there is no breach.
The terms of the "Advance Care Directive" supplied by DMP to SLHD on 29 July 2018 had an enforcement date of 1 July 2019. In it he asked that SLHD confirm whether or not it would accept the document as lawful and valid, and if so ensure that it was attached to his records. Under the terms of the document, DMP stated "I refuse all treatment under all circumstances". The document, however, then went on to say that, if he was registered anonymously as UNKNOWN and, in effect, there was no cross-referencing between the records in his own name and those of UNKNOWN, then he consented to treatment.
SLHD states that the document was not attached to DMP's record at the time because it had a start date of 1 July 2019 and because it was concerned that to attach the document to DMP's patient record would be inconsistent with its general law duty of care to him.
SLHD submits that it was not required to comply with the request in circumstances where HPP 8(4)(b) provides that "non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law". The phrase "any other law" has been held in relation to the equivalent Information Privacy Principle under the PPIP Act to include the common law of Australia (Director General, Department of Education and Training v MT [2005] NSWADTAP 77 at [83] CCM v Western Sydney University [2019] NSWCATAP 103 at [65]).
It is certainly arguable that SLHD has a general duty of care to those who present seeking its services. In addition the Health Services Act 1997 in section 10 gives it a number of functions including to promote, protect and maintain the health of the residents of its area and to achieve and maintain adequate standards of patient care and services. This it is difficult to envisage how complying with DMP's request would be in keeping with SLHD's legislated functions.
In my view there is no breach of HPP 8.
[10]
Disclosure to the Privacy Commissioner
On 1 March 2018 SLHD provided to the Information and Privacy Commissioner a copy of a document titled "Report of Investigation Findings" in relation to DMP's request for internal review. DMP states that SLHD breached HPP 11 by disclosing his personal health information to the Information and Privacy Commissioner. He submits that sending the internal review report to the Information and Privacy Commissioner was an unlawful disclosure and breach of HPP 11 in circumstances where SLHD insisted that it had not accepted his internal review application, let alone commenced a review. He refers to this as the "fake internal review" and alleges corrupt conduct.
In passing, I note that there does appear to be some confusion in the document as to whether it is a report on an investigation or an internal review report. At the hearing, DMP accepted that, if this was a mistake, then he had no proper basis for complaint. I agree with SLHD that there is no evidence of any improper conduct.
In any event, from the correspondence provided in the documents filed with the Tribunal, it appears that DMP had been in contact with the Information and Privacy Commissioner about his concerns. There was also correspondence between the Information and Privacy Commissioner and SLHD in which information was sought by the Information and Privacy Commissioner about the conduct of an internal review by SLHD in relation to DMP's complaints concerning access to his health information. In response to this correspondence a copy of the report was sent to the Information and Privacy Commissioner on 1 March 2018.
HPP 11 provides that an agency that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected. HPP 11(1) is, however, subject to a number of exceptions. One of these exceptions is if the disclosure of health information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies. This extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency.
I agree with the submissions of SLHD that the Information and Privacy Commissioner was investigating or otherwise handling a complaint, that is the complaint made by DMP, and that it can be inferred that from the making the request for information from SLHD, that the disclosure of the health information was reasonably necessary for the exercise of that function. In these circumstances the provision of DMP's information to the Information and Privacy Commissioner was lawfully sanctioned and not in breach of HPP 11.
[11]
Use of health information when de-identifying it
DMP claims that there was an unlawful use of his health information when it was de-identified on 23 May 2018. This refers to the actions taken to render his information unsearchable on eCERT as outlined above.
DMP claims that what was done was not what he agreed or consented to and states he wanted his information deleted. He did concede, however, that he was aware that his health information could not in fact have been deleted. DMP has not clearly articulated how the process which was undertaken in an attempt to do what he asked, namely, prevent any use or access to his health information within eCERT, was unlawful or amounted to a use of his health information.
In my view there was no "use" of DMP's health information in this process in that his information was not employed for any purpose (see meaning of "use" above). In the circumstances, I am not satisfied that there has been a breach of any HPP.
[12]
Breach of HPP 6
As I understand it, DMP alleges that SLHD did not respond to his requests about whether his health information was still being used for training after he withdrew his consent on 3 November 2017 for his health information to be used for training purposes. He states that SLHD's conduct was in breach of HPP 6 which relates to the obligation placed on agencies to enable an individual to obtain details about information held about them.
There was considerable correspondence between DMP and SLHD and an offer was made (which he rejected) to alias his information in response to his request. I am satisfied that SLHD took such steps as were reasonable in the circumstances to satisfy the requirements of HPP 6.
[13]
Complaints made as "health information broker" in relation to third parties
DMP alleges that SLHD breached HPPs 5, 10 and 11 in relation to its handling of the health information of third parties including Mr A, Mr B and Mr C. Copies of letters signed by Mr B and Mr C have been provided to the Tribunal. These letters relate to the alleged unlawful use by SLHD of their personal health information for eMR training. There is also a letter of authority from Mr C authorising DMP to act as his agent as his health information broker. DMP, acting as agent, submitted an internal review application on behalf of Mr C to SLHD.
DMP states that he is a person aggrieved by the conduct as he is "the state's premiere consent-based health information broker" and SLHD's "failure to comply with the express refusal notices that I prepared for them" gives him standing as this has interfered with his commercial and ideological interests. In one of his submissions DMP states he will be seeking to recover $40,000 in "lost brokerage fees".
Review of a breach of an HPP by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies. Section 53(1) the PPIP Act provides that a person is entitled to review of an agency's conduct if the person is "aggrieved" by that conduct. SLHD submits that DMP is not a person "aggrieved" by the conduct alleged against it and therefore the Tribunal does not have jurisdiction to review the alleged conduct.
In Altaranesi v Administrative Decisions Tribunal [2004] NSWCA 19 it was suggested that a person can fall within the definition of an "aggrieved" person for the purposes of s 53(1) if they can demonstrate that the alleged conduct has had a prejudicial effect on them. In certain circumstances the Tribunal has found a person to be a person "aggrieved" even if their personal information was not the subject of the conduct (see for example KO & Anor v Commissioner of Police, NSW Police [2004] NSWADT 3; NR and NP v Roads and Traffic Authority [2004] NSWADT 276).
It is possible that interference with financial interests could give a person standing to seek review of conduct. However, in this case, there is no evidence of any prejudicial effect upon DMP of the alleged conduct in relation to the named persons. There is certainly no evidence that there has been any interference with his financial interests or that indeed there was any commercial relationship between DMP and the other men.
To the extent that DMP complains about SLHD's dealings with the health information of Messrs A, B and C, there is no evidence that would establish that he is a person "aggrieved" by the alleged conduct of SLHD. Simply having a similar interest is insufficient. The Tribunal therefore does not have jurisdiction to review the alleged conduct.
[14]
Application 2 - 2018/00355100 - presentation to emergency on 6 June 2018
On 6 June 2018 DMP presented to a hospital in SLHD with severe abdominal pain. He gave a false name and told staff that he did not have his wallet on him. According to DMP he was registered as a new patient under the false name he had given and admitted. He states that several hours after his admission, he was told he would need to provide his Medicare card. DMP states he advised staff that the name he had provided was a pseudonym and that he was asserting his right to be treated anonymously. He states that he was then informed that without a Medicare card, he would not be able to be treated as a public patient and would be required to pay for all treatment.
DMP states that he agreed that he would pay for the treatment but was then informed he was still required to provide a Medicare card before he could be treated. He states that he checked that he had heard this statement correctly so that there was no misunderstanding or ambiguity and, owing to the pain he was in, provided his Medicare card to staff.
DMP submits that the conduct of SLHD resulted in several contraventions of the HPPs, namely:
1. HPP 13 - by refusing to treat him anonymously when it was both lawful and practical for him to receive treatment under a pseudonym;
2. HPP 1 - by unlawfully collecting his name and/or Medicare number because it was not reasonably necessary, and HPP 2 - as the collection of that information was excessive and/or irrelevant for the purposes claimed;
3. HPP 1 - by coercing him into providing information (his Medicare details) that it knew was not required in breach of s 70 of the Act, rendering the collection of that information unlawful;
4. HPP 4 - even though DMP stated he would pay cash, he was told he needed to supply his Medicare card. This was a breach of HPP 4 because he was not told the purpose of collection and there could be no lawful reason to hand over his Medicare card in the circumstances; and
5. HPP 5 - by exposing his identifiable health information to an unreasonably high risk of unauthorised access and misuse by failing to protect it against those responsible for safeguarding it. (This alleged contravention relates to the retention of DMP's health information in the eMR non-production environment.)
HPP 13 states that wherever it is "lawful and practicable" individuals must be given the opportunity to not identifying themselves" when receiving health services from an organisation.
HPP 1 provides that health information must be collected for a lawful purpose directly related to a function or activity of the organisation and that collection must be reasonably necessary for that purpose. HPP 1 also provides that health information must not be collected by unlawful means.
HPP 2 provides that an organisation that collects health information must take steps that reasonable in the circumstances to ensure that the information collected is, among other things, relevant and not excessive.
Edgar Mendoza, who at the relevant time was the Acting Clerical Reception Manager for the Emergency Department at the hospital, states that he was approached by one of the administrative officers at reception on the day in question who asked for help in regard to a patient who he now knows to be DMP. The officer told Mr Mendoza that the patient did not want to provide any information and the name the patient had provided was not on the HPOS - the Health Professional Online Services which is an online system whereby health professionals can access a Medicare check to confirm a patient's Medicare eligibility. The officer said that he registered the patient under the name given but then found out that it was not in fact the patient's name.
Mr Mendoza said that he went to the front reception desk and called out the name that the patient had given to the officer. A man approached the reception desk holding a green card in his hand which Mr Mendoza recognised as a Medicare card. DMP confirmed to Mr Mendoza that he had not given his real name and said that he was concerned about his privacy. According to Mr Mendoza, DMP said that he was a medical student, that he had a case against the Ministry of Health and would file another one because he was being forced to release his information.
Mr Mendoza sought advice from the District Health Information Manager and was informed that obtaining the correct information was a part of patient registration. Mr Mendoza informed DMP that, if no Medicare number was associated with the name that was given, he would be billed for any services provided. He said that DMP said that he was happy to pay. Mr Mendoza said that when he asked him if he was paying by credit card, DMP handed him his Medicare card. Ultimately, DMP was treated as a public patient under his own name and underwent surgery.
In a statement filed in these proceedings, DMP denies ever speaking with Mr Mendosa, however, was more equivocal at the hearing. DMP states that he was in excruciating pain and was given morphine. He states that he is familiar with the effects of opioids and does not believe his cognition was impaired in any way.
SLHD submits that, in order to treat DMP as a public patient, his identity needed to be established. Although DMP stated he would pay for treatment, he offered no means of payment and, when questioned on how he would pay for treatment, proffered his Medicare card. SLHD submits that the only available inference is that DMP sought treatment as a public patient.
DMP argues that, in order to establish his eligibility to be treated as a public patient, he did not have to provide his Medicare card. He states that his eligibility could have been established through other means such as provision of an Australian passport. He also states that his eligibility could have been established by sighting his card and did not require provision of his Medicare number. DMP also states that treatments provided to public patients are not billed to Medicare, prescription drugs provided to public patients are not billed to Medicare and drugs provided under the PBS (Pharmaceutical Benefits Scheme) can be lawfully provided without a Medicare number.
DMP therefore submits that there was no lawful reason why he was required to produce his Medicare card. Similarly, he submits that it was practicable to treat him anonymously or under a pseudonym in order to provide services involving a multi-disciplinary team and to organise follow up treatment.
In particular, DMP submits that there was no need to record his Medicare number if he was going to pay for his treatment as an ineligible patient. This information was therefore unlawfully collected as it was not reasonably necessary to do so. DMP also submits that, the statement that he could not be treated, even as a private patient, unless he provided his Medicare card, amounted to coercion. Furthermore, as the collection of his Medicare details was the result of coercion, the collection was unlawful.
DMP also states that, at no time, was he asked to or did he complete the required form for election to be either a public or private patient as a Medicare eligible patient. He states that a hospital officer completed the form and it was not signed by him. Indeed, no effort was made to collect his signature. There is a notation on the form - "did not get any details [sic] or signature as per advice" and the initials AJ which DMP states are the initials of the admissions officer.
DMP states that he was coerced into handing over his Medicare card and was prevented from completing an election form.
SLHD submits that it was neither lawful nor practicable to provide DMP with an opportunity not to identify himself in the circumstances of the treatment provided to him between 6 June 2018 and 8 June 2018. SLDH argues that it could not provide treatment to DMP as a public patient and at the same time provide him with an opportunity not to identify himself. In short SLHD states that the legislative framework governing the provision of public hospital services in NSW under the Health Services Act 1997, the Medicare Principles set out in the Health Insurance Act 1973 (Cth) and the funding arrangements between the Commonwealth and the States and Territories as set out in the National Health Reform Agreement require NSW to provide "eligible persons" with the choice to receive public hospital services free of charge as public patients.
SLHD states that "eligible persons" are essentially Australian residents, defined as being Australian citizens or others who meet specific visa or immigration requirements, and some eligible overseas representatives. NSW is obliged to provide an "eligible person" with the choice to receive public hospital services free of charge as public patients. Where the person seeking treatment is not an "eligible person" or an "eligible person" chooses not to receive public hospital services free of charge, that person is liable to contribute the sum calculated in accordance with the scale of fees fixed under the Health Services Act which, if unpaid, is recoverable as a debt. SLHD therefore submits that, before it could treat DMP as a public patient on 6 June 2018, it was required to verify that he was an "eligible person". In fact, in order to even offer him the choice to be treated as a public patient it was required to identify whether or not he was an "eligible person".
SLHD also submits that, pursuant to mandatory policy directives published by the Ministry of Health, it was required to verify DMP's status as an "eligible person" specifically by reference to a Medicare card and to record both the fact of his Medicare eligibility and his Medicare number. SLHD refers to 2 policy directives:
the Medicare Ineligible and Reciprocal Health Agreement - Classification And Charging Policy Directive (Document No. PD2016_055) (the Medicare Ineligible Policy Directive); and
the Client Registration Policy Directive (Document No. PD 2007_094).
The Medicare Ineligible Policy Directive sets out a list of persons who are Medicare eligible and states that persons "in these classifications should present a valid Medicare card to confirm eligibility. If no Medicare card is presented the patient should be presumed ineligible until such time as a card is presented." The Client Registration Policy Directive states that at the time the first service is provided it is mandatory to record certain information in the Area Health Service-wide client registration database. One element of the mandatory information is Medicare eligibility and Medicare number if eligibility for Medicare is a factor in service provision or billing.
SLHD also argues that the services provided to DMP included the prescription of fentanyl and morphine, each of which is a Schedule 8 medication under the relevant Commonwealth and NSW legislation. The Poisons and Therapeutic Goods Regulation 2008 provides that the name of the patient to whom any such drug is administered or supplied must be included in a register on the day it is supplied or administered. Dr Ritchie refers to the "Medication Handling in NSW Public Health Facilities" Policy Directive which sets out the requirements for recording patient details, including the name of the patient for whom Schedule 8 drugs are prescribed.
SLHD also argues that it was impracticable to not identify DMP in order to treat him. This is primarily because SLHD and its medical practitioners are subject to a number of different obligations concerning the proper identification of patients and creation of medical records.
In his affidavit Dr Ritchie describes what is involved in the registration of individual patients and the care that they receive. These steps are set out in the Client Registration Policy Directive and Client Registration Guidelines applicable to SLHD. Dr Ritchie states that the standardisation of medical records promotes the provision of effective care, because it allows clinicians to have ready access to relevant information relating to the patient and details of their previous care. It also minimises the risk of a patient being misidentified or confused with another individual, which could jeopardise the care provided to him or her. He states that a key aspect of client registration involves checking whether the patient has an existing record which ensures clinical staff are equipped with the information necessary to provide good quality, continuing care to the patient.
In his affidavit Dr Ritchie notes that there are circumstances where a patient cannot be identified if, for example, a patient presents to hospital unconscious. Efforts are, however, made to establish the person's identity usually by the police. Dr Ritchie states that there are also patients who are treated as an "identity-restricted patient" when knowledge of the patient's identity puts them at risk in health facility. This is generally used for VIPs, individuals under police protection and individuals at risk of dangerous visitors. In these circumstances the patient is assigned an alias to be used in the eMR. Identity restrictions are also used for patients attending the sexual health service in SLHD, however, in these cases true identifiers are also kept separately for various reasons including for prescribing scheduled medications.
[15]
Conclusion
DMP has raised various other matters in his submissions, including issues concerning the Chief Executive. Many of these relate to what he believes are inaccuracies, inconsistencies or omissions in information with which he was provided. In my view they do not establish any grounds for establishing any breaches of DMP's privacy.
Overall, I have not found any of the complaints by DMP concerning the conduct of SLHD to be made out. I therefore decide to take no action with respect to the conduct.
[16]
Orders
1. The Tribunal decides not to take any action in the matters.
[17]
I hereby certify that this is a true and accurate record of the reasons for decision of the New South Wales Civil and Administrative Tribunal.
Registrar
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
[18]
Amendments
06 September 2021 - Anonymisation of identifiable names.
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 06 September 2021
SLHD also submits that a failure by clinicians to create medical records in respect of patients may also, depending on the circumstances, amount to negligence under the general law. In addition, the Medical Board of Australia has issued the "Good Medical Practice: A Code of Conduct for Doctors in Australia" under s 39 of the Health Practitioner Regulation National Law (NSW) No 86a. The code provides for the keeping of clear and accurate medical records. SLHD notes that the code is admissible in proceedings against a health practitioner as to what constitutes appropriate professional conduct or practice for the health profession under s 41 of the Health Practitioner Regulation National Law (NSW) No 86a. In addition, SLHD draws attention to the record keeping responsibilities of medical practitioners as set out in the Health Practitioner Regulation (New South Wales) Regulation 2016. Medical practitioners must ensure that a record is made in kept for each patient and, in addition to other details, patient's record "must contain sufficient information to identify the patient to whom it relates" (Schedule 4).
SLHD submits that while HPP13 envisages circumstances in which health services may be provided without a patient identifying themselves in at least some circumstances, the issue before the Tribunal is whether having regard to the health services provided to DMP between 6 and 8 June 2018, it was both lawful and practicable for SLHD to do so. In this regard, Dr Ritchie states that, in his view, the health services provided to DMP would have required follow-up for a subsequent procedure and would have involved a multidisciplinary team, including a urologist, anaesthetist and nursing and administrative staff. SLHD states that, in such circumstances, it would have been at least impracticable, particularly bearing in mind the obligations of the relevant clinicians to create appropriate medical records, it was at the very least impracticable to provide DMP with an opportunity not to identify himself.
SLHD also states that it was reasonably necessary and not excessive for the SLHD to collect DMP's health information when he presented to hospital on 6 June 2018 and this there were no contraventions of either HPP1 or HPP2.
It is clear that here is a conflict between the accounts given by DMP and Mr Mendoza of what occurred in the reception area on 6 June 2018. I see no reason for Mr Mendoza to fabricate an account of his encounter with DMP. I am mindful that DMP was in pain and had been given significant medication. While he states that his cognition was not impaired, it may well have been. Furthermore, it is clear that he was pursuing a particular agenda at the time fuelled by what he described at the hearing as his hatred for SLHD. In the circumstances, I prefer the account given by Mr Mendoza to that given by DMP.
DMP states that he was coerced into handing over his Medicare card. There is, however, no evidence of any such coercion. DMP told staff that he was not using his real name, offered no other means of identification, offered no means to pay for treatment and approached reception holding his Medicare card. He handed over the card when asked whether he would be paying by credit card. At the hearing he clearly said that, although he had said he would pay cash, he in fact had no means to do so. It is also clear from the tenor of his evidence that DMP went to the hospital intending to be treated as a public patient. I can find no evidence that his health information was collected by unlawful means.
The matters that are set out above in relation to the legal responsibilities of SLHD and its clinicians, in combination with the practicalities of actually providing treatment to DMP for what was a serious complaint, lead to an inevitable conclusion that it was neither lawful nor practicable for DMP to be treated anonymously when he attended hospital on 6 June 2018. There was no breach of HPP 13.
Similarly, I am also satisfied that the collection of his health information was reasonably necessary for SLHD to perform its functions. The collection was definitely relevant and was not excessive. There was no breach of HPP 1 or 2. I am also not satisfied that the circumstances raise a possible breach of HPP 4 or any further consideration of HPP 5.