From the Office of the Privacy Commissioner of New Zealand:
A man, M, who was involved in legal proceedings with his former partner, X, was a patient of a medical centre. The medical centre previously provided medical care to M and his family when he and X were still together.
X visited the medical centre with her new partner, N, and they requested historical information about the family and, in particular, an incident which involved one of the children a number of years before.
The medical centre assumed that N was M and so released all of the health information held about M, X and the children to the couple. This included a separate file relating to M which contained highly sensitive information about an anxiety disorder he was suffering from.
X then attached the information obtained from the medical centre to an affidavit presented to the Family Court in an attempt to show M as a bad parent. M was humiliated by the disclosure.
Rule 5 of the Health Information Privacy Code requires health agencies, such as the medical centre, to ensure that health information is protected, by reasonable security safeguards, against unauthorised disclosure.
In addition, section 45(a) of the Privacy Act requires agencies ensure that a requester is appropriately identified before providing them with personal or health information.
Rule 11 expects that a health agency shall not disclose health information to any individual unless the agency believes on reasonable grounds that an exception applies.
Here, the medical centre made an assumption that N was M and took no steps to ensure that this assumption was correct. Instead, it disclosed highly sensitive information about M to X and N.
We were satisfied that the medical centre breached rule 5 as it lacked the procedures and processes to ensure that steps were always taken to establish identity before releasing health information.
We were also satisfied that the disclosure of this information breached rule 11 as no exception applied to allow the medical centre to disclose the information.
We formed the view that the disclosure of M’s information to X and N caused M significant harm and we conveyed this view to the medical centre.
The medical centre accepted that its procedures were lacking, made extensive changes to its policy regarding the identification of information requesters, and trained its staff in their obligations under the Code.
The medical centre also agreed to apologise directly to M for its actions, pay him financial compensation and provide him and his children with free medical services for a set period of time.
We were satisfied with the steps that the medical centre took to ensure that the mistakes made with M’s health information were not repeated. M was satisfied with the settlement proposal that the medical centre offered to him personally. We closed our file.
Read more on Privacy.org.nz
H/T, @JCELaw