The patient and the doctor had been acquainted through their common Islamic faith and their attendance at religious services.
In 2011-2012 the patient had sought treatment from the doctor for ‘panic attacks’.
In 2014-2015 the patient sent several emails to the doctor, relatives and friends after renouncing his Islamic faith. In reply to an e-mail, the doctor responded to the patient and six third party individuals:
“… As I explained, all the answers will be provided with the view that NOT ONLY YOU & … but ANYONE ELSE would not have legs to stand on as regards your enquiry if you follow the FULL explanation. … I am a perpetual student of OMNISCIENCE and will do the explanation in a scientific manner.
I also want you to answer a few questions so that the DELUSION is avoided and does NOT PERSIST. You’ll recall my management of your Delusional Depression.”
The patient subsequently lodged a complaint under the Privacy Act.
The Privacy Commissioner found the complaint substantiated.
The disclosure of the patient’s ‘Delusional Depression’ made in the email was not made for the primary purpose of providing him with medical care, and it was not reasonable for the doctor to assume that the patient consented to his medical history being disclosed in the circumstances (i.e. breach of APP 6.1). Further, the doctor had failed to take reasonable steps to ensure that the personal information he disclosed was relevant to the purpose for which it was disclosed (i.e. breach of APP 10.2).
The Privacy Commissioner awarded the sum of $10,000 compensation, taking into account the sensitive nature of the personal information that was disclosed and the patient’s vulnerability.
The case serves as a reminder to doctors of their responsibility to understand their privacy obligations and demonstrates how breaches can be caused by the simplest of mistakes.
The decision in ‘IV’ and ‘IW’ [2016] AICmr 41 is here.