Home | Clinical Practice | Check twice, click once: The legal implications of incorrectly sending patient information via email

Check twice, click once: The legal implications of incorrectly sending patient information via email

Nurses are required to maintain patient confidentially due to their legal, moral, ethical, employment and professional duties as they are trusted with a patient’s most intimate and personal information.

This trust is often a challenge to maintain when working in busy clinical environments. For example, emailing sensitive medical information is fraught with dangers, including the difficulty of retrieving it if sent to the wrong recipient.

Most nurses and health services are governed by the Commonwealth Privacy Act (1988). Pursuant to the Act there are a number of mandatory Australian Privacy Principles (APP) which need to be adhered to. When a nurse or health service breaches these APPs there are potential serious consequences, including investigation, prosecution and payment of monetary damages. This jurisdiction is governed by the Information Commissioner (OAIC).

In a recent case, two patients’ grievances related to a health clinic’s disclosure of their personal medical information twice to an unknown recipient by using an incorrect Gmail address.

Both patients were diagnosed as HIV positive. Patient A and his husband (Patient B) had previously been part of research facilitated by the clinic concerning HIV transmission. They had both previously provided their respective email addresses.

Relevantly, A provided his work email address, which included a reference to his place of employment, and B provided a personal email address which was comprised of his first and last name, as well as his middle initial.

Summarily the facts as set out are:

  • At 2.19pm on 22 December 2017 the clinic sent an email to A’s work email address, and to an incorrect email address containing B’s first and last name but omitting his middle initial.
  • At 2.21pm A sent a reply email to the clinic requesting that future communications for him be sent to an alternate personal email address.
  • At 2.34pm the clinic sent an email to A’s personal email address and copied the incorrect email address concerning B. That email attached a consent form for the medical study.
  • At 5.34pm A sent a reply email to the clinic notifying them that it had used the incorrect email address concerning B.

With no response from the clinic, A sent an email on 25 January 2018 to the clinic advising he would be making a complaint to the Information Commissioner. On 29 January the clinic emailed A a letter (dated 26 January 2018) apologising for the ‘inconvenience and disappointment’ caused, setting out the steps it had taken in response to the incident, and stating that it was undertaking an investigation.

A and B lodged a complaint with the OAIC on 14 February 2018.

In the formal complaint A claimed that the clinic interfered with his privacy because:

  • It disclosed his and B’s personal and sensitive information without their consent to an unknown third party.
  • The information included: A’s name, work/employer, partner’s (B) name, that he was part of a sensitive research study, recent diagnosis of HIV and B’s existing HIV positive condition.
  • They understood their personal information would not be shared with anyone and stored securely.

Pursuant to the APP this is deemed ‘sensitive information’ requiring additional caution in distributing.

The health service submitted that it did undertake steps to address the error, including:

  • Sending a follow-up email to the incorrect email address and requesting that the email be deleted or shredded – with no response.
  • Engaging with Google to attempt to have the email destroyed.
  • Offering to reimburse A for costs incurred through counselling sessions.
  • Making a written apology to A.
  • Undertaking a number of steps to protect client personal information in the future.

The Information Commissioner found that (A and B’s) ‘personal (‘sensitive’) information’ had been disclosed as defined in the Privacy Act, including both A and B’s sexual orientation. Accordingly, the clinic was in breach of APP 11.1.

Both A and B claimed that the disclosures caused them significant personal distress and psychological injury (including cost of treatment). The Information Commissioner ordered the health service to issue a formal letter of apology, instructed it to undertake specific steps to ensure the breach was not repeated and awarded $10,000 in compensation to A and $3,000 to B.

The lessons for nurses arising from this case reinforce the requirement that if in managerial positions they must ensure their workplace has policies, procedures and training for the safe storage (digital or otherwise) of medical information and its dissemination, whether electronically or otherwise.

Nurses as employees have a duty to the patient, profession and employers to ensure they act in such matters with all reasonable skill and diligence to maintain a patient’s privacy.

Dr Scott Trueman, chair Case Management Society of Australia, nurse and previous practising lawyer.

Do you have an idea for a story?
Email [email protected]

Get the news delivered straight to your inbox

Receive the top stories in our weekly newsletter Sign up now

Leave a Comment

Your email address will not be published. Required fields are marked *