Question patients with caution

Nurses frequently collect personal information; that means they must be mindful of privacy laws and standards. 

George Clooney surely spoke for many when he understandably said, “I don’t like to share my personal life … It wouldn’t be personal if I shared it.”

Nevertheless, enquiring about patients’ intimate and personal information is a frequent activity in nursing. And patients usually disclose such details and answer questions freely on the basis of trust. They trust that the information is relevant and that it will be stored and remain confidential. Such concerns are addressed within the jurisdiction of the Australian Information Commissioner and are subject to the Australian Privacy Principles (APPs), which the commissioner administers. Part of that administrative responsibility is to investigate possible breaches and make determinations. Two of the commissioner’s recent cases have important implications for nurses.

The first involves the storage of medical records. Pursuant to the APPs, an entity (e.g., a hospital, health service, surgery, nurse practitioner’s practice) that holds personal information must take reasonable steps to protect the data from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Further, the entity must take reasonable steps to destroy or de-identify any personal information it holds once it is no longer needed. In this case, the medical centre stored about 960 paper-based medical records in a locked shed at the back of the site. The records included a range of personal information, including sensitive details such as results of medical investigations, correspondence with other medical and health practitioners, and discharge summaries. In late November 2013, the shed was broken into.

The commissioner found the medical centre had breached the APPs and in noting the sensitivity of the data stated that he “did not consider there to be any circumstances in which it would be reasonable to store health records, or any sensitive information, in a temporary structure such as a garden shed”. The commissioner also considered that the medical centre should have taken reasonable steps to destroy or permanently de-identify the medical records, especially as the majority of them were at least 11 years old. In any event, the APPs still required the centre to take reasonable steps to destroy or permanently de-identify personal information that it no longer used or needed.

The second case concerns the manner in which information is collected. The APPs state that an entity is only to collect data by lawful and fair means and not in an unreasonably intrusive way. It must also take reasonable steps to protect personal information it holds from misuse, loss, unauthorised access, modification or disclosure, and inform people of the identity of any enquirers and the purpose for the collection of information.

A blind flight passenger was asked a series of intrusive questions about his medical condition in the departure lounge of an airport. The purpose of the questions was to ascertain whether he was suitable to fly in light of his disability. The commissioner found that the questioning breached the APPs because the collection of the information was undertaken in an unreasonably intrusive manner, the airline failed to explain to the passenger the purposes for which it was (legitimately) collecting his personal information and because the content of the questions and the circumstances in which they were asked resulted in an unreasonable disclosure of his sensitive personal information (the conversation was in the presence of the passenger’s sighted guide and various passengers seated nearby in the departure lounge). The passenger was awarded $8500 for the breach of his privacy and obtained a written apology. Staff were ordered to undergo privacy training. It is noteworthy that the commissioner said it calculated the $8500 partly on the basis that the airline had a “responsibility … to have a sound understanding of its privacy obligations”.

The significance of this case for nurses is that they are regularly involved, to varying degrees of particularity and levels of intrusiveness, in questioning patients in relation to their illnesses, injuries or disabilities. This can occur in a variety of situations and under a multitude of circumstances. For example, nurses might be asking what appear to be quite benign questions: seeking the reasons for a follow-up appointment at the GP reception desk or asking a patient about sensitive information behind drawn curtains in a hospital ward where other patients are in the same bay.

Clearly, the case of the blind passenger illustrates that a nurse in either of these examples would need to be careful to ask for only relevant and necessary data (minimising intrusiveness), explain why the information is required, identify themselves (if necessary) and consider carefully whether the conversation should take place in other surroundings – more privacy would equate to less chance of disclosure. It is not hard to image that even the most professionally committed nurse, when subjected to time pressures, may not pause and reflect on these important obligations. However, for both nurse managers and individual nurses, ignorance of these obligations is not an excuse, as the airline found out.

Both cases highlight that nurses need to understand that their responsibilities concerning patient information are multifaceted, particularly when discussion or collection of personal details occurs in public spaces. Environments such as pharmacies, medical practices, hospital wards, homes, nursing homes and venues for community health promotion are all susceptible to greater privacy concerns, as the discussions occur in the proximity of others.

The first case also illustrates that obligations concerning the maintenance of privacy endure beyond the consultation period and for as long as the information is in existence. Whilst security of existing information, either electronic or paper based, is an ongoing responsibility, that existence itself is no longer justified when the information is no longer needed. Any nurse in management should enact and maintain a system to review stored information that ensures it is being justifiably retained or, if appropriate, destroyed.

Scott Trueman is a lecturer in the school of nursing, midwifery and nutrition at James Cook University. 

Get the news delivered straight to your inbox

Receive the top stories in our weekly newsletter Sign up now