21 April 2020

How these agencies are breaching patient privacy

AHPRA Patients Policy

Privacy experts have criticised Services Australia and AHPRA for sharing thousands of private health records every year without informing patients, a practice that appears to contradict the government’s own guidelines.

Large volumes of Pharmaceutical Benefits Scheme (PBS) and Medicare Benefits Schedule (MBS) data are routinely shared between the two agencies to aid AHPRA’s investigations into alleged doctor misconduct.

While doctors are informed when their own private health data, or their practice data, is transferred to AHPRA during an investigation, patients are not routinely alerted by either agency that their privacy has been breached.

In 2019, Services Australia released 2,625 private health records to AHPRA, which represented an increase in disclosures since 2017.

Access to MBS and PBS data can help AHPRA determine whether a complaint about a doctor is valid.

But PBS and MBS data contains personal information about what scripts a patient has filled and which Medicare items were billed during a consultation and can reveal highly sensitive information about the patient.

“It is very troubling that Services Australia is sharing private medical data with AHPRA without consulting the patients involved,” Jonathan Crowe, a professor of law at Bond University, said.

Patients should be systematically informed that their data had been shared between agencies, even if it was necessary to wait until after an AHPRA investigation had concluded, Assistant Professor Bruce Baer Arnold, a legal academic at the University of Canberra, said.

“It would be easy to build such a communication mechanism into systems,” he said.

Secret data sharing arrangements such as these often stemmed from a “culture of bureaucratic laziness” and could be interpreted as a lack of respect for the patient.

While a patient making a complaint about a health practitioner to AHPRA might assume that their private MBS and PBS data could be shared between agencies as part of the investigation, around half of complaints are not made by patients.

When complaints are made about doctors by third parties (such as other practitioners, employers or relatives), patients are generally unaware AHPRA is accessing their data and have no opportunity to provide informed consent.

After a year-long freedom of information battle, The Medical Republic has finally secured an unredacted copy of the internal guidelines used by Services Australia officials to make decisions about sharing MBS and PBS data with external agencies.

Page 11 of those guidelines states that: “…in circumstances where it is practicable and reasonable to do so, persons about whom information may be released should be consulted and their views taken into account in making the decision to release information in the public interest.

“Further, where it is practicable and reasonable to do so, persons about whom information is released should be informed that information about them has been disclosed in the public interest to a third party and identify that party.”

Services Australia and AHPRA could be behaving unlawfully by failing to inform patients when their private health data was shared between agencies, barrister and privacy advocate Peter Clarke said.

However, determining the legality of this would require careful analysis of the exceptions and exemptions across several pieces of legislation and possibly a test case, he said.

Dr Chris Moy, the chair of AMA ethics and medico-Legal committee, said that page 11 of the unredacted guidelines “does make you wonder whether Services Australia have actually passed their own test in regard to procedural fairness and the requirement to consult the individual about the release of information”.

AHPRA says it complies with all confidentiality provisions in the National Law which governs its activities.

Services Australia general manager Hank Jongen said: “Due to the nature of the cases in which information is released to AHPRA, it is not practicable and reasonable to consult with persons about whom information may be released.

“Neither the National Health Act 1953 nor the Health Insurance Act 1973 require notification where information has been disclosed as permitted by those Acts.’

The Services Australia internal guidelines, which were issued by the federal Department of Health in 2003, have not been updated in 17 years.

As a result of The Medical Republic’s ongoing investigation, the Department of Health and Services Australia have now begun a joint review of the guidelines.

In reviewing the guidelines, the government should aim for greater consistency, and consider the recent debate around My Health Record, Dr Moy said.

The government should also ask for submissions from the public about how to best update guidelines, he said.

COVID-19 live update