Email PDF
Listen
NSW Crest

Civil and Administrative Tribunal
New South Wales

Medium Neutral Citation:
AYT v Sydney Local Health District [2014] NSWCATAD 29
Hearing dates:
21 November 2013
Decision date:
19 March 2014
Jurisdiction:
Administrative and Equal Opportunity Division
Before:
S Higgins, Principal Member
Decision:

Pursuant to subs 55(2) of the Privacy and Personal Information Protection Act 1989, the Tribunal decides not to take any action on the matter.

Catchwords:
Health information about an individual - limits on disclosure of health information -protection of health information held by a government agency - health information produced by the agency pursuant to a subpoena issued by a court, production of the information for a secondary purpose - whether agency was not required to comply with the limits on disclosure of health information - whether the disclosed health information fell within the terms of the subpoena
Legislation Cited:
Civil and Administrative Tribunal 2013
Civil Procedure Act 2005
Government Information (Public Access) Act 2009
Health Records and Information Privacy Act 2002
Privacy and Personal Information Protection Act 1989
Uniform Civil Procedure Rules 2005
Cases Cited:
Rochfort v Trade Practices Commission (1982) 153 CLR 134; 43 ALR 659
Category:
Principal judgment
Parties:
AYT (Applicant)
Sydney Local Health District
Representation:
Applicant's husband (Agent for the Applicant)
Crown Solicitor's Office (Respondent)
File Number(s):
133225

reasons for decision

Introduction

1The applicant seeks review of conduct, by the Royal Prince Alfred Hospital (RPAH), she asserts to have been a breach of a number of health privacy principles (HPPs), set out in the Health Records and Information Privacy Act 2002 (HRIP Act), in regard to her personal health information. The alleged breaches are said to have arisen in the course of RPAH's response to a subpoena, issued by the District Court, in May 2012. The subpoena was issued, at the request of the defendant to proceedings instituted by the applicant in that Court.

2It is the contention of the applicant that, RPAH produced documents, containing her health information, which were irrelevant, or did not fall within, the terms of the subpoena. Of concern to the applicant were the production of her medical records from the Camperdown Aged Chronic Care and Rehabilitation Service (AC&R Clinic). It is this conduct, which the applicant alleges to amount to a contravention, by RPAH, of a number of HPPs in regard to her health information. The applicant went on to contend that as a result of the alleged contraventions her solicitor advised her that she had no alternative but to settle her occupiers liability claim before the District Court. In settling her claim, the applicant said she was forced to agree to a settlement amount that was considerably less than what she would otherwise have been entitled to.

3RPAH and the AC&R Clinic are facilities belonging to the Sydney Local Health District (the respondent). The AC&R Clinic is also located within the grounds of RPAH.

4In May 2013, the applicant made an application, under s 21 of the HRIP Act, seeking internal review of the respondent's conduct. On 25 June 2013, the respondent determined the applicant's application and found that the conduct of RPAH in responding to the subpoena did not amount to a breach of a HPP.

5Being dissatisfied with the respondent's determination, as she was entitled to do, the applicant made this application for external review by the Tribunal: see s 21 of the HRIP Act and s 53 of the Privacy and Personal Information Protection Act 1998 (PPIP Act).

6Following a number of planning meetings, the applicant's application was heard on 19 November 2013. By consent, it was agreed that the issue of liability would be determined first and if the Tribunal were to find that the alleged conduct of the respondent was a contravention of one or more of the HPPs the application would be re-listed for a hearing on the issue of damages.

7At all times, the applicant has been represented by her husband, as her agent.

8Since the hearing of this application, on 1 January 2014, the NSW Civil and Administrative Tribunal was established and on its establishment the Administrative Decisions Tribunal was abolished (see s 7 and cl 3 of Schedule 1 of the Civil and Administrative Tribunal Act 2013). And by reason of cl 7 of Schedule 1 of the Civil and Administrative Tribunal Act 2013, this application is taken to be an application before the NSW Civil and Administrative Tribunal (NCAT), with the provisions of the HRIP Act and Part 5 of the PPIP Act continuing to apply.

Issues

9There is no dispute that the Tribunal has jurisdiction to hear and determine this application. Nor is it disputed that the scope of the applicant's application is confined to the conduct the subject of her internal review application. In that application, the applicant ticked the boxes against the following descriptions as representing the nature of the conduct the subject of her complaint:

  • collection of her personal/health information (i.e. HPP 1 to HPP 4)
  • security or storage of her personal/health information (i.e. HPP 5)
  • use of her personal/health information (i.e. HPP 10)
  • disclosure of her personal/health information (i.e. HPP 11)

10During the course of the hearing it became apparent that the only HPP, relevant to the conduct complained of, was that relating to security and storage (HPP 5) and disclosure (HPP 11). That is, the collection and use HPP's were of no relevance to the conduct complained of.

11Integral to the alleged breaches of the security and storage and disclosure HPPs are the following questions:

(a)whether the health records of the AC&R Clinic are records within the possession, custody or control of RPAH,

(b)if they are, whether the applicant's health records of her treatment at the AC&R Clinic fell within the terms of the May 2012 subpoena, and

(c)whether RPAH's conduct in producing (i.e. disclosing) the applicant's AC&R Clinic medical records in response to the May 2012 subpoena amounted to a breach of HPP 5 and HPP 11.

12For the reasons set out below, I have found that the AC&R Clinic medical records are within the custody and control of RPAH, the applicant's health records of her treatment at the AC&R Clinic fell within the terms of the May 2012 subpoena and, by reason of cl 11(2)(a) and/or (b) of Schedule 1 of the HRIP Act, RPAH was not required to comply with the limits on disclosure as set out in cl 11(1).

Relevant legislation

13There is no dispute that the respondent is an organisation (i.e. a public sector agency) and subject to the provisions of the HRIP Act: see subs 11(1) of the HRIP Act. That is, it is required to comply with the HPPs set out in Schedule 1 of that Act.

14The respondent is also a public sector agency subject to the provisions of the PPIP Act): see s 20 of the PPIP Act. Accordingly, it is required to comply with information privacy principles (IPPs) set out in ss 8 to 19 of that Act.

15There is no dispute that the information, in the AC&R Clinic documents, produced by the RPAH, to the District Court, included health information about the applicant.

16The term 'health information' is defined in section 6 of the HRIP Act to include 'personal information' that is information or an opinion about a physical or mental health or a disability (at any time) of an individual. The term 'personal information' is defined in s 5 of the HRIP Act. That section relevantly provides as follows:

5 Definition of "personal information"
(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.

17Personal information is defined in the same terms in subs 4(1) and (2) of the PPIP Act.

18Subs 11(2) and (3) of the HRIP Act requires public sector agencies that collect, hold or use health information about an individual to comply with the HPPs and not do any thing, or engage in any practice that contravenes these principles. The HPPs are in Schedule 1 of that Act and relate to the collection storage, access and amendment, use and disclosure of personal health information.

19Section 21 of the PPIP Act requires public sector agencies not to do any thing, or engage in any practice that contravenes an IPP as set out in ss 8 to 19 of the PPIP Act. These principles relate to the collection, storage, access and amendment, use and disclosure of personal information about an individual.

20As I have mentioned the relevant HPPs in this application are HPP 5 and HPP 11. HPP 5 provides:

5 Retention and security
(1) An organisation that holds health information must ensure that:
(a) the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) the information is disposed of securely and in accordance with any requirements for the retention and disposal of health information, and
(c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) if it is necessary for the information to be given to a person in connection with the provision of a service to the organisation, everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information.
Note. Division 2 (Retention of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.
(2) An organisation is not required to comply with a requirement of this clause if:
(a) the organisation is lawfully authorised or required not to comply with it, or
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).
(3) An investigative agency is not required to comply with subclause (1) (a).

21 HPP 11 relevantly provides:

11 Limits on disclosure of health information
(1) An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:
(a) Consentthe individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or
(b) Direct relationthe secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or
Note. For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.
(c) ...
..., or
(l) Prescribed circumstancesthe disclosure of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph.
(2) An organisation is not required to comply with a provision of this clause if:
(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998), or
(c) the organisation is an investigative agency disclosing information to another investigative agency.
(3) ...
(4) ...
(5) If health information is disclosed in accordance with subclause (1), the person, body or organisation to whom it was disclosed must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
(6) ...

22S 13 of the HRIP Act exempts Courts, Tribunals and Royal Commissions from the operation of the HRIP Act in so far as it relates to the exercise of their respective judicial functions (s 6 of the PPIP Act contains an exemption in similar terms).

23Subs 21(1) of the HRIP Act, makes provision for complaints to be made against a public sector agency in regard to conduct which is alleged to be a contravention of a HPP that applies to the agency. Such complaints are made pursuant to Part 5 of the PPIP Act and for that purpose the reference to 'personal information', in Part 5 of the PPIP Act, is to be taken to include 'health information': see subs 21(2) of the HRIP Act.

24Part 5 of the PPIP Act (i.e. ss 52 to 56) makes provision for the review of conduct of a public sector agency. S 52 in that part defines 'conduct' to include the contravention of an information protection principle that applies to a government agency. These information protection principles are set out in Part 2 of the PPIP Act (i.e. ss 8 to 19) and include principles in regard to the collection, retention and security, access, alteration, accuracy, use and disclosure of personal information. As mentioned above, subs 21(2) of the HRIP Act provides that for the purposes of Part 5 of the PPIP Act, a complaint made about conduct of an agency that contravenes a HPP, is also conduct falling within that Part.

25Section 53 of the PPIP Act gives a person aggrieved by the conduct of a public sector agency the right to make an application, to the agency, for an internal review of that conduct. By reason of subs 21(1) of the HRIP Act, this right extends to conduct which is alleged to be a contravention of a HPP that applies to that agency.

26Section 55 of the PPIP Act provides that a person dissatisfied with the findings of an agency on the internal review can make an application for external review to the Tribunal. That section relevantly provides:

55 Review of conduct by Tribunal
(1) If a person who has made an application for internal review under section 53 is not satisfied with:
(a) the findings of the review, or
(b) the action taken by the public sector agency in relation to the application,
the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53.
(1A) ...
(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a public register,
(g) such ancillary orders as the Tribunal thinks appropriate.
(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 5 of the Administrative Decisions Tribunal Act 1997.
(4) The Tribunal may make an order under subsection (2) (a) only if:
(a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and
(b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.
(4A) ...
(5) ...
(6) The Privacy Commissioner is to be notified by the Tribunal of any application for a review under this section. The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to a review under this section.
(7) ...

27Again, by reason of subs 21(1) of the HRIP Act, this right of external review applies to persons who have sought internal review of conduct which is alleged to be a contravention of a HPP that applies to the agency.

The evidence

28In support of her case, the applicant tendered into evidence a copy of the documents she had been provided, by the respondent, in response to a number of access requests she had made in October and November 2012.

29The respondent tendered into evidence a statement of Ms Elaine Pan, an employee of the respondent. Ms Pan is employed as the acting Performance Analysis and Decision Support Officer, Performance Monitoring, Casemix and Innovation Unit. Ms Pan had responded to requests made by the applicant's husband, on 1 November 2012, and is familiar with RPAH's medical records electronic storage system and the process used by the Hospital in responding to a subpoena and other forms of access requests.

30Ms Pan also gave oral evidence and was cross examined at the hearing.

31In summary, on the evidence before the Tribunal, the sequence of events is as follows:

(a) On 5 May 2011, the applicant's solicitor wrote to Medical Records Officer of RPAH, seeking copies of the entire medical records of the applicant that it held, including the medical records from the 'Pain Management Centre and any additional records held by [RPAH] or under [its] control.'
(b) On 16 June 2011, Ms Pan, the then Medico-Legal Manager of RPAH, wrote to the applicant's solicitor enclosing copies of the requested medical records. These copies did not include any medical record of the applicant's treatment at the AC&R Clinic.
In her letter, Ms Pan advised that, pursuant to the HRIP Act, some information had been removed from those records, as the information affected the personal affairs of a person other than the applicant.
In her letter Ms Pan also said:
'Please note that additional information (such as correspondence and documents from other agencies) may exist but is not released as a matter of routine unless you specifically request such information.'
(c) Sometime in 2012, and prior to 24 May 2012, the applicant commenced proceedings, in the District Court, in regard to her occupier's liability claim.
(d) As I have already mentioned, on 24 May 2012, the District Court issued the subpoena, as requested by the defendant to the applicant's occupier's liability claim. The subpoena, addressed to the Medical Superintendent of RPAH and returnable on 2 July 2012, ordered the production of the following records:
'All records relating to the abovenamed plaintiff and, without limiting the generality of the foregoing all clinical notes, nurse's reports, operation reports, x-ray films, x-ray reports, discharge summaries, out-patient records and any other document or thing relating to any tests or procedures whether surgical or otherwise carried out in relation to the said plaintiff [name of the applicant and her date of birth].'
(e) The subpoena was served on RPAH and, in accordance with the procedures of the hospital it was forwarded to the Medical Records Department (MR Department) to action.
(f) The MR Department produced documents (including those relating to the applicant's treatment at the AC&R Clinic) to the District Court. Subsequently, the District Court made orders in regard to access to the documents that had been produced to the Court.
The Court ordered that the applicant (i.e. the plaintiff in those proceedings), be granted first access to the documents, from 3 July to 9 July 2012. The applicant, nor her solicitor, viewed the produced documents during this time.
The defendant obtained access to the produced documents (including those of the Camperdown AC&R Clinic), on 12 July 2012.
(g) On 26 July 2012, the District Court, at the request of the defendant in the applicant's occupier's liability claim, issued a further subpoena addressed to the Medical Records Officer, Royal Prince Alfred Pain Management Centre, ordering production of 'all records held relating to all consultations, examinations and treatment had with or administered to the [applicant], ...'
The subpoena was sent to the MR Department to action. The Department subsequently produced, to the District Court, the relevant records of the applicant held by the Pain Management Centre.
(h) On 1 November 2012, on behalf of the applicant, the applicant's husband telephoned RPAH to complain about RPAH having produced, to the District Court, documents about the applicant, which should not have been produced. He spoke to Ms Pan and identified the documents of concern being those of the AC&R Clinic.
(i) After having made inquiries with the staff in the MR Department, Ms Pan ascertained that the AC&R Clinic documents were produced in response to the subpoena issued on 24 May 2012.
(j) Ms Pan, believing that the AC&R Clinic documents had been inadvertently produced, asked the District Court to return all the documents produced in response to the May subpoena. The Court returned the documents. Ms Pan removed the AC&R Clinic documents and returned the remaining documents to the Court.
(k) On 19 November 2012, Ms Pan had a conversation with the applicant's husband. She informed him of the actions she had taken and she also agreed that the AC&R Clinic documents had been inadvertently produced to the District Court. Ms Pan also provided the applicant's husband with advice on how to make a privacy complaint and obtain copies of the applicant's AC&R Clinic records.

32The applicant did not provide any details as to when her claim in the District Court was settled. I have assumed it was after 26 July and before 1 November 2012, when the applicant's husband contacted Ms Pan. Even if my assumption is incorrect, this has no bearing on the matters in issue regarding liability of the respondent under the HRIP Act.

33In her evidence, Ms Pan explained that RPAH has an electronic patient administration system (the eMR system), which contains the medical records of patients. The system, she explained is indexed in accordance with a specific identification number (i.e. Medical Record Number) that is given to each patient.

34Ms Pan went on to explain that some time ago a decision was made to integrate the AC&R Clinic patient medical records with that of RPAH. Hence, every patient of the AC&R Clinic is also given a specific identification number, and where the Hospital has already given the patient a specific identification number, the same number is used. Accordingly, a search on the eMR system for the medical records of a particular patient will identify any medical records of that patient, from the Hospital and/or the AC&R Clinic, held on that system.

35Ms Pan explained that the MR Department actions all applications for access to patient medical records and any Court subpoena served on RPAH. She said, where an access application or subpoena is to be actioned, an officer of the MR Department conducts an initial search on RPAH's electronic patient administration system (eMR system). That system, she explained, also enables the officer to electronically access the actual medical records of the patient which have been recorded on the system, or are otherwise connected to the system. However, where a record has not been recorded on the system and it is not otherwise connected to that system, the officer is required to make a copy from the actual physical document held by the Hospital or the AC&R Clinic.

36Ms Pan's evidence was that in responding to the May 2012 subpoena, the relevant officer of the MR Department had produced, to the District Court, copies of the applicant's medical records, as indexed under her specific Medical Record Number, in the eMR system, at that time. This included those records of the applicant from the AC&R Clinic.

37In regard to her actions in retrieving the produced documents from the District Court and then extracting the AC&R Clinic documents, Ms Pan said she believed, at that time, that the documents had been inadvertently produced. That is, at the time she believed they were documents that should not have been produced in response to the subpoena. She said it was on the basis of this belief that she agreed with the proposition of the applicant's husband, on 19 November 2012, that these documents had been produced in error. Ms Pan went on to say that she also informed the applicant's husband that the AC&R Clinic and the Hospital used the same patient Medical Record Number for the applicant when creating a medical record for the applicant.

38It was the evidence of Ms Pan that it was not until she was spoken to by the respondent's internal reviewer, of the applicant's privacy application, that she realised that her belief, as expressed to the applicant's husband, was incorrect. In this regard, Ms Pan said the respondent's internal reviewer, informed her as follows:

'a) At the time the AC&R eMR system was being implemented, a decision was made to integrate the AC&R Camperdown records with those of RPAH, and to use the same Medical Record Number (which indicates the patient to which the records relate). The policy reason behind this decision was to enable continuity of care between the AC&R unit and the Hospital where the patients were receiving treatment.
b) Administratively, all of the patient records generated by the Camperdown AC&R unit are considered to be part of the RPAH's medical record, and can be accessed in appropriate circumstances (that is, for the purpose of providing medical services to patients). Documents created by the AC&R unit within the eMR system are stored centrally with the rest of the RPAH's records. They are considered to be integrated as part of the patient record. Staff in the Medical Records Department, by virtue of their role, necessarily have access to these records.

c) All patients who receive treatment at Camperdown AC&R ... are required to complete a "AC&R Consent for Assessment and Information Sharing" form. This form ... requires that a person who signs the form has read and understood the Local health District's brochure entitled "Privacy Information for Patient/Clients".

d) The "Privacy Information" brochure ... informs patients of the creation of a Medical Record Number for each patient and also informs them that authorised users throughout the Local Health District will be able to access health records which are linked to that Medical Record Number. ...'

39Ms Pan's evidence was that the applicant had been provided with the abovementioned 'Privacy Information' brochure when she became a patient of the Hospital.

Consideration

40Written submissions were filed by both parties and I have read them carefully. The applicant's submissions are, in my view, misconceived in that they do not address issues relevant to the provisions of the HRIP Act. Instead, issues in regard to negligence are raised, which are not relevant in the context of this application. I draw no adverse inference from this as the applicant and her husband are not legally trained.

41There is no dispute that the disclosure of the applicant's medical records to the District Court was a disclosure for a secondary purpose and not the primary purpose for which they had been collected by RPAH and the AC&R Clinic. They had clearly been collected for the purpose of providing health services to the applicant and not for any other purpose. Hence, RPAH's conduct, in disclosing the applicant's medical records to the District Court, is prima facie a breach of the disclosure HPP, in clause 11(1) of Schedule 1 of the HRIP Act, unless one of the prescribed exceptions apply, or the respondent was not required to comply by reason of one of the circumstances prescribed in clause 11(2).

42It is accepted that the exceptions in para (a) to (l) of clause 11(1) do not apply.

43However, for the reasons set out below, I accept the general contentions of the respondent about a subpoena, addressed to it, to produce documents. That is, as a general rule, the respondent is not required to comply with the requirement in clause 11(1) when responding to a subpoena, because, by reason of clause 11(2)(a) and (b) of Schedule 1 of the HRIP Act, the subpoena provisions of the Civil Procedure Act 2005 (CP Act) and the Uniform Civil Procedure Rules 2005 (UCP Rules) lawfully authorises it not to comply, or requires it not to comply. However, this non-compliance with the requirements of clause 11(1) only extends to the production of health information falling within the terms of the subpoena and that which is 'held' by the respondent.

44Section 68 of the CP Act, gives a court (including the District Court) the power to issue a subpoena requiring a person to produce a document to the court, and/or attend the court to give evidence. The procedure in regard to issuing, serving and responding to a subpoena is set out in rule 33 of the UCP Rules.

45Rule 33.1(1) of the UCP Rules defines a 'subpoena' to be an order in writing requiring the addressee to give evidence, or to produce the subpoena or a copy of it and a document or thing, or to do both of these. Rule 33.2 sets out the circumstances where a court may issue a subpoena and when a subpoena has been issued (i.e. when the issuing officer of the court has sealed the subpoena with the seal of the court).

46In this application there is no dispute that the May 2012 subpoena was appropriately issued by the District Court and served on the addressee, RPAH, in accordance with rule 33 of the UCP Rules. As I have mentioned, it was a subpoena requiring the production of specified documents concerning the applicant. A failure, by RPHA, to produce the documents could have amounted to contempt of the District Court: see rule 33.6 and 33.12 of the UCP Rules.

47RPAH's obligation (also the respondent's obligation) in regard to the documents it was required to produce extended to those documents, concerning the applicant, that were within its possession, custody and control (i.e. those it 'held'): see Rochfort v Trade Practices Commission (1982) 153 CLR 134; 43 ALR 659.

48As pointed out by the respondent, the word 'document', as used in any Act or instrument is broadly defined, in s 21(1) of the Interpretation Act 1987, to include 'anything on which there is writing' and 'anything from which ...writings can be reproduced with or without the aid of anything else.'

49On the basis of the evidence of Ms Pan, I accept that the AC&R Clinic health records of the applicant, were records (i.e. documents), within the possession, custody and control of RPAH at the relevant time (i.e. held by RPAH). As explained by Ms Pan, these records were accessible on RPAH's electronic patient administration system and were readily identifiable through the medical record number attributed to the applicant when she initially became a patient at RPAH.

50I also find, on the basis of the terms of the May 2012 subpoena, that the AC& R Clinic health records of the applicant fell within these terms, because the subpoena expressly requested 'all records relating' to the applicant.

51Ms Pan's advice to the applicant's husband in November 2012 and her conduct in retrieving the applicant's AC&R Clinic health records from the documents, produced in response to the May 2012 subpoena, was clearly misconceived.

52On the basis of my findings above, I also find that the conduct of RPAH (i.e. the respondent) in producing, to the District Court, the AC&R Clinic health records of the applicant, did not amount to a breach of the retention and security HPP in cl 5 of Schedule 1 of the HRIP Act. In this regard I note that there is no evidence to suggest that the respondent had at any time failed to protect the applicant's health information against loss, or unauthorised access or disclosure.

53On the basis of my findings, the appropriate order is to decide, pursuant to s 55(2) of the PPIP Act, to take no further action on the applicant's application.

54Whether the applicant has any other avenue of redress for what she perceives to have led to the loss of her occupiers liability claim is not a matter for the Tribunal.

55There is, however, one matter that did arise in the course of the hearing of this application which warrants further comment. This matter arises from the evidence of Ms Pan in that she said there was a difference in the procedures of the MR Department of RPAH when responding to an access application, including an application under the Government Information (Public Access) Act 2012 (GIPA Act) and clause 7 of Schedule 1 of the HRIP Act.

56It was the evidence of Ms Pan that in response to such access applications, the MR Department will only search for and identify the RPAH records of that patient. That is, unlike the procedure for responding to a subpoena, no broader search is made on RPAH's electronic patient administration system. Ms Pan's evidence was that the person seeking access is nevertheless informed that 'additional information ... may exist but not released as a matter of routine unless ... specifically requested'.

57Ms Pan explained that this was why no copies of the applicant's AC&R Clinic health records were included in RPAH's response to the May 2011 access request, by the applicant's solicitor. As mentioned above, the applicant's solicitor was however advised, in the usual terms, that additional information may exist.

58Although it was not an issue in this application, I was left with the impressions from the evidence of Ms Pan that an application for access to a patient's health information, under the GIPA Act or clause 7 of Schedule 1 of the HRIP Act, would be treated differently to a subpoena requiring production of the same class of information. I note that the applicant's solicitor did not make a request under these provisions. However, I understood Ms Pan to say that had the request been made under these provisions, it would have been dealt with in the same manner. That is, in responding to any access application, RPAH only searches for the persons RPAH health records and not any other health records held by it.

59In my view, there should be no difference in approach in identifying relevant documents/information in response to a subpoena and that used for responding to access application made under the GIPA Act or clause 7 of Schedule 1 of the HRIP Act. They all require RPAH to identify every record it 'holds' containing the information sought. Whether access is granted to the information sought and held by RPAH, is of course another matter. This is determined in accordance with the provisions of the Act under which the access application was made.

60In making these remarks I am not critical of Ms Pan. However, I recommend that RPAH examines its procedures in regard to access applications to ensure they comply with the provisions of the GIPA Act and the HRIP Act.

Conclusions and orders

61For the reasons set out above, I have found that the conduct of the respondent in producing, to the District Court, pursuant to a subpoena, the applicant's AC&R Clinic medical records did not amount to a breach of a HPP under the HRIP Act.

62On the basis of my findings I order:

Pursuant to subs 55(2) of the Privacy and Personal Information Protection Act 1989, the Tribunal decides not to take any action on the matter.

 

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar

DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.

Decision last updated: 19 March 2014