Mr Dodd —PIAC is a non-profit organisation that works on public interest issues, including legal strategies, and has involvement with law reform. The PIAC submission sets out PIAC’s previous work in health and privacy issues. PIAC does welcome the opportunity to make this submission. Our submission is mainly focused on the draft bill that has been circulated. PIAC does recognise that the draft bill does raise two potentially competing public interest principles. The first is that there is a public interest for Australian consumers in the maintenance and integrity of Australia’s universal healthcare scheme, Medicare. On the other hand, there is a distinct public interest in the confidentiality of communications within the doctor-patient relationship that is recorded in the medical records of patients. PIAC strongly believes in that principle—that medical records are totally confidential—and, therefore, medical records should be provided with the same stringent protection as other sensitive information and privacy principles and privacy laws.

Having said that, PIAC did make some comments in its submission about the terms of reference of the inquiry. I will not go through all of those, but it is important to highlight some of them. PIAC was of the very strong view that if any information could be identified during the process then it should be. It was very clear in its submission that there should be a stepped review process. In other words, sensitive information should not be accessed unless there is no alternative to that course and that should be a decision that is made by senior officers of Medicare. Having said all that, PIAC concludes that the bill, together with the privacy safeguards already in place for Medicare, appropriately balances in the public interest in the integrity of Medicare and the public interest in the maintenance of patient confidentiality and privacy of health records. PIAC have had the opportunity to look at the privacy impact statement and PIAC think that the recommendations there are positive ones and could be implemented.

Finally, PIAC was concerned about the nature of the public debate about this issue. Our submission says that it has been misdirected and often verged on the hysterical, and that we are probably more concerned about privacy issues that might arise from greater corporatisation of medicine in Australia than arise from this legislation. Thank you.

Senator SIEWERT —Thank you for your submission. You raised a large number of really interesting points. I want to ask you a couple of questions and ask you to explain a few things in your submission a bit further as well, if that is okay.

Mr Dodd —Certainly.

Senator SIEWERT —I want to come back to this issue about the multi-step process around decision making about the collection of clinical information.

Mr Dodd —Yes.

Senator SIEWERT —But one point I did want to ask you about—and I will probably jump around the submission a bit—is seeking consent. I appreciate the argument that you make about not seeking consent but rather informing patients that their records are being accessed. The point that has been raised in some of the other submissions is that you impinge on medical practitioners’ rights because you are going to a patient and informing a patient that their records are potentially being accessed so that then informs the patient that the clinician is being audited. The point raised in a number of other submissions is that that is not fair either. Do you have a response to that?

Mr Dodd —Yes. I think there is a general principle that if personal information in the form of health records is accessed, then that person should, in a general sense, be informed. That is a general principle and I think that should be adhered to unless there are particular reasons to divert from that. The privacy audit does mention that and gives reasons why that might be problematic. I think that could be in some ways countered by the way that that information is given to health consumers. I think it could be made clear in that notification that there is no finding against a particular practitioner concerned. And there should be a thorough explanation as to why the information is being accessed. But, nevertheless, there is that general principle that if someone is going to access your personal information, you have a right to know about it.

Senator SIEWERT —And that, basically, is the overriding principle—that is, the patient has the right to know if their records are being accessed.

Mr Dodd —That is correct. You could take that further and say that they have a right to say yes or no, but PIAC recognises in this situation that giving the consumer that veto would probably undermine the scheme totally and is not practical. But those general principles still apply.

Senator SIEWERT —You touched on this issue in a number of places in your submission, and you made the point in your oral evidence, that you thought there had been an overreaction to this legislation. You make the point on page 5:

There has been a number of submissions that point out very strong concerns about the breaching of confidentiality in the giving of clinical information. We have just had psychiatrists talking to us about their concerns. To me, these seem to be very genuine concerns. It is not just about them saying, ‘We don’t want you to audit our records’; they are very concerned, particularly psychologists, about access to clinical data. They have suggested that the wording is more clearly defined about what ‘access to clinical records’ means—whether it is the administrative or the clinical records—and I must admit that I am concerned about this issue of access to clinical records. I accept the point you make in your submission that, yes, confidentiality is paramount, but there are circumstances where these records are accessed anyway. I am not quite sure that they are the same circumstances that we are talking about here.

Mr Dodd —Certainly in New South Wales, the Health Care Complaints Commission and the medical board have power to access medical records following a complaint. I know that is a little bit different, but nevertheless there is some analogy in those procedures. PIAC was probably reacting in some ways to statements by the AMA, which was suggesting that records would be available to all and sundry. The AMA referred to court records being available, and our submission tried to indicate that that probably is not going to happen given the existing practices in the courts where patients are clearly de-identified in those circumstances.

Senator SIEWERT —In your submission you talk about your concerns, particularly in large medical centres and in aged care facilities, and you give some examples. Do you have evidence that supports these issues? Where can we access the data that particularly picks out those two?

Mr Dodd —You are talking about the fact that patients are told to go to one particular diagnostic service or another?

Senator SIEWERT —Yes.

Mr Dodd —I think that is just anecdotal evidence. I am not sure whether there has been any study of that, but I have certainly heard of cases where people have been told that they must go to this particular diagnostic service.

Senator SIEWERT —And in aged care facilities? The issues around overservicing?

Mr Dodd —I think that that is a general concern. The practice is, as you know, that GPs quite often attend aged-care facilities and see lots of patients. For how long they see them is a bit problematic. I am not suggesting that there is always fraud or always misconduct, but it certainly lends itself to overservicing at some level.

Senator HUMPHRIES —I must say I was a little bit concerned about your submission. You say at the outset:

You then go on to say that access by bureaucrats under this audit process should be able to proceed. You suggest some protection for the records through de-identification once they reach court proceedings but not before that point. You say that a patient should be notified of their records being accessed but the audit should not proceed if they cannot be, for some reason, reached or notified. And you say that they should not have the right to refuse consent to having their records audited. With great respect, it really seems to me as if there is not much left of the principle that you state here that patient medical records are totally confidential, if all of those concessions are made.

Mr Dodd —Every right that we have as citizens is to some extent subject to other rights. We have emphasised that there is a right of Australian consumers to have access to Medicare, and that the maintenance of Medicare does depend on the integrity of the practitioners and the financial viability of the scheme. So that is an important right, and that is something that we recognise. We also recognise the right to confidentiality that people have at all points of the process, not just in the courts system. Rights always have to be balanced in these and other circumstances. I do not think I agree with you, with all respect, that this will greatly threaten a right of confidentiality or privacy. I think, as we pointed out in the submission, the law surrounding subpoenas would probably more greatly threaten that right than this legislation.

Senator HUMPHRIES —All of the other witnesses we have had today have argued that the access to the private records is a bridge too far in one form or another. You go to some lengths to identify the issue of making sure that the records, when used in a court, should be de-identified. But isn’t the real problem with this legislation that it allows access to people’s records at a much earlier stage in proceedings through the audit process? These are not medical practitioners reviewing the processes used by other practitioners; these are bureaucrats checking the records to see whether what is on the claim form by the doctor matches up with what is on the clinical records. Wouldn’t it be extremely corrosive of the patient-doctor relationship to have strangers poring over the medical records? Isn’t that really a fundamental blow to that principle that you state, that patient medical records are totally confidential?

Mr Dodd —I do not see it as corrosive of the doctor-patient relationship. It is an exception to that question of confidentiality. There are other exceptions. There are exceptions, as I said, in terms of subpoenas. There are exceptions in terms of investigations by the police. There are exceptions in relation to complaints made to health care complaints commissions and organisations like the medical board. These rights are not absolute. PIAC are very clear that we think that the integrity of the Medicare system is very important. I think that the arguments that have been put up in support of the legislation are valid in the sense that there does seem to be some need to increase the level of audits. The public would expect that.

Senator HUMPHRIES —We have a different view about what the public would expect. If people knew their records were being checked by bureaucrats and confidential information on those was available to people, I think that they would be horrified. But we have our own assessments to make about what the public might think about that.

Mr Dodd —I think it is a very good recommendation that is made. The privacy impacts assessment says that the public should be informed about the fact that their records may be used. The records can potentially be subpoenaed today; they can potentially be obtained by the police in the course of their investigation; and they can be obtained, as I said, by health care complaints commissions and by registration boards.

Senator HUMPHRIES —These are all in circumstances where some actual evidence has emerged of a problem and reasonably the records need to be examined in order to deal with a live issue which is actually there. I think people would expect some access to records in those circumstances, however reluctantly. But surely people will have concerns with simply looking at the records as part of a bureaucratic exercise in auditing. Won’t that be exacerbated by the existence of notification? You get a note saying, ‘Your doctor’s records are being audited and we intend to examine your personal medical files in order to see whether your doctor has been claiming appropriately against Medicare.’ Won’t that send a shiver down a lot of people’s spines and cause them some concern?

Mr Dodd —As I said to the committee earlier, and as the submission says, these are two conflicting public interest principles. There is a public interest principle in the confidentiality of Medicare records but there is also a public interest in the integrity of the Medicare system. People are concerned that doctors are basically, to use the vernacular, ripping off Medicare. There is concern in the public about that and we cannot ignore it. I am not suggesting that the majority of doctors want or intend to rip off Medicare, but I think that it is true, on anecdotal evidence, that not all doctors are honest. It is very competitive out there and there are a lot of temptations for doctors to not necessarily abuse the system but to cut corners. There has to be a public interest in that as well. Those two public interest principles have to be balanced. I am not suggesting that it is a good thing that people’s records are accessed, perhaps without them knowing, but it is also not a good thing if the costs of Medicare increase for consumers. And it is not a good thing if the Medicare system is ripped off. I have worked in the health complaints system and I do know that people are concerned when Medicare is abused.

Senator HUMPHRIES —My last question is this: the doctors who appeared before us today have said quite strongly that they feel that the disclosure of records would be corrosive of the doctor-patient relationship. That is their professional opinion. You have said that that is not the case. Can you offer some evidence to suggest that people would not in fact feel less comfortable disclosing matters to their doctor knowing that they can be disclosed to bureaucrats under a review?

Mr Dodd —I agree that that is a concern, and that is why the legislation and policy should have all the safeguards possible. But I think that those issues have been addressed in the Privacy Impact Statement. Generally speaking, it seems that the Privacy Commissioner has come up with the same conclusions that PIAC has, that on balance, with appropriate safeguards, the legislative model generally protects consumers. I am not sure what you mean when you say it is corrosive to the doctor-patient relationship. I think the doctor-patient relationship is a little bit different to a question of confidentiality.

Senator HUMPHRIES —Confidentiality is part of that relationship. You can disclose to your doctor that you have a mental illness or a venereal disease or HIV or whatever it might be and know that it is just between you and your doctor and not going to be shared with some bureaucrat from a department.

Mr Dodd —You used the word bureaucrat. Presumably, the people that are involved are aware and trained about privacy. I think that is part of the Privacy Impact Statement. I am not sure that the people that you call bureaucrats are any less reliable than other people who have access to medical information and I am not sure whether every doctor in Australia respects privacy at all times. There are complaints to health care complaints commissions and medical boards et cetera about doctors breaching confidentiality.

Senator HUMPHRIES —Are you suggesting that, because some doctors breach confidentiality, we are generally entitled to forget about confidentiality when it comes to accessing records?

Mr Dodd —No.

Senator HUMPHRIES —What does that have to do with the issue of records generally being made confidential and retained as confidential?

Mr Dodd —I am saying that it is a difficult issue. You have referred to bureaucrats dealing with the information. I am not sure why bureaucrats could be any less or more trusted than anybody else. That is the only point I make.

Senator HUMPHRIES —Thank you.

Senator FURNER —Mr Dodd, in relation to records access I do not know whether you have had an opportunity to read the Australian Health Insurance Association’s submission which indicates they have access to records as part of their audit process. This appears to be comparable with what is being proposed. I also understand that that submission has been supported in that part by the Consumer Health Forum. I take it that it is consistent with most insurance firms that they have access to types of information where there may be inappropriate or fraudulent claims so they can identify those types of issues. Once again, can I take you to your position on that type of access to records, please.

Mr Dodd —I have not read that submission. I think we would be a little bit more concerned about that sort of access than the access that is proposed here. I think that that is one of the points that our paper makes, that the protections that you find in the Health Insurance Act, the protections that are now suggested by the audit, are far stronger than the protections you find in other areas, certainly in the private sector where there are opportunities for access. That is one of the areas. I have not read their submission and I do not think I can comment any further on that, and I am not suggesting that there are not legitimate purposes for health insurance organisations to have access to medical records, but I would be far more concerned about that—unless again there were safeguards in place—than I am about the current legislation.

Senator FURNER —In your submission you referred to safeguards associated with the proposal. In fact, you indicated they provide a higher level of protection to the privacy and confidentiality of personal health information held by Medicare Australia than the protection afforded similar information held by the private sector. I guess that is going back to the statements that you have just made. I am wondering whether you can provide some examples to the committee of the latter, please.

Mr Dodd —I think it is not so much a question of examples. I think the reality is that everyone is subject to the privacy legislation—the federal privacy act. What the Health Insurance Act and the provisions in this recommendation provide are extra safeguards. PIAC welcomes those. PIAC actually suggested additional safeguards in its submission. But in the private sector you have the privacy act and nothing else. If you look at section 130 of the Health Insurance Act you will see that it provides pretty stringent penalties for people unlawfully disclosing information. Those penalties generally cannot be imposed on people in the private sector.

Senator FURNER —Would you suggest therefore that the proposal may help improve the handling of personal health information anyway?

Mr Dodd —Absolutely. I think the sorts of provisions that are suggested in the privacy audit and that are already in the legislation should also be applied to the private sector. Contrary to what has been suggested, we are strongly of the view that confidentiality and privacy should remain paramount. That should be reflected in those sorts of safeguards. But we also recognise that sometimes, in the public interest, records can and should be accessed.

Senator FURNER —Does the centre have any views on obtaining patient consent at the time of a claim as per private health insurance?

Mr Dodd —I think that is covered by the submission. We recognise that giving the patient effectively a veto over whether the information is used is not practical. There is a danger that doctors could pressure their patients not to consent. Take the scenario of a patient in a regional centre. There are a lot of regional centres in New South Wales which have just one doctor. If the doctor is subjected to an audit, patients are going to be very reluctant in that situation to consent, even if there is not pressure put on that patient by the doctor. So we just do not think that having the absolute consent of the patient in the legislation is practical. It is a good principle to have. I do not think there is any doubt that, as a general principle, there should be a requirement for a patient to give consent for their information to be accessed by other sources, but we do recognise that there are competing public interests here and that the public interest in conducting the audits have to be taken into account.

Senator BOYCE —You mentioned under section 3 the idea of de-identifying information. Can you explain to us exactly what you mean when you say ‘de-identify’? What would it involve doing?

Mr Dodd —I think that if a patient can be de-identified at any point then they should be de-identified as a matter of course. In my experience in the court system I have had some experience in disciplinary tribunals for doctors, nurses et cetera. In that court situation, people are referred to as AB or AD. They are not referred to by their full name if they are patients and not a party to the proceedings. I think that should take place as a matter of course at any time, even when they are being dealt with by—and I will use Senator Humphries’ term—bureaucrats. I think it is just a safeguard. But, on the other hand, we would recognise that there are times when the need for patients’ names and identities to be identified would be an essential part of the process. I think those situations are referred to in the privacy impact assessment.

Senator BOYCE —So the practitioner would be the one who would, in your view, be doing the de-identifying?

Mr Dodd —Not necessarily. I have got to say that I think that we recognise that de-identifying patients is probably not going to be possible in many of the cases, and it may be possible at one stage of the process and not possible at another stage in the process. It is certainly not going to be possible—

Senator BOYCE —It also has the potential to be a very lengthy and time-consuming exercise, doesn’t it, for whoever is going to be responsible for doing the de-identifying?

Mr Dodd —I am not sure if I agree with that. Clearly, if you are marrying up patient records with other records then you need the name of the person. But if the information goes on a file then the identification of the person is not necessary at all—and, if there are further records made, someone could be referred to as patient A or patient B or whatever. I cannot see why you would need to identify people in documents produced in records after that. These are all minor safeguards. You might suggest that they add to the cost of the process, and that might be true, but they also reduce the potential for that sort of information to be inappropriately disclosed.

Senator BOYCE —I am trying to think of what sorts of files you have in mind. Practitioners have spoken about perhaps simple diaries and other non-identifying administrative files, but then the only other files are the clinical notes of the practitioner which would identify the patient very clearly, I would have thought.

Mr Dodd —Not necessarily. Someone’s clinical notes may not refer to someone by name.

Senator BOYCE —You do not think they would have a name on them?

Mr Dodd —They would have a name on the front. I quite often have access to clinical notes; they do not have the name of the person identified on every page. You could de-identify a document like that.

Senator BOYCE —And you do not think potentially identifying information would be in those notes?

Mr Dodd —Yes, of course that is the case. Nevertheless, I am just trying to talk about reducing the possibility of that information being disclosed to the wrong person; I am not saying it would eliminate it.

Senator BOYCE —Nevertheless, if you were to go about trying to de-identify clinical records, for instance, someone would need to read through the entire record, would they not, to ensure that that had happened?

Mr Dodd —Yes, that could be done; yes, I agree. You might say that would be unnecessary and costly, but it could be done.

Senator BOYCE —It could be done, but it could be very time consuming, could it not?

Mr Dodd —As a legal practitioner I have had to do that time-consuming process as part of presenting evidence in relation to a prosecution of a matter in disciplinary proceedings, and it is a time-consuming process, but it can be done.

Senator BOYCE —Nevertheless, we are talking about circumstances which are extremely different, are they not, from those regarding a prosecution? We are talking about inadvertent potential errors.

Mr Dodd —Absolutely, and that is why—

Senator BOYCE —So to require the same amount of time to be devoted to something like that seems unusual.

Mr Dodd —Yes. Our submission says:

It is again a question of balance. This is a balancing process and we accept that.

Senator BOYCE —Thank you.

CHAIR —Thank you very much, Mr Dodd. If there are any further comments you wish to make, if something comes to mind, please let us know by getting in contact with the committee.

Mr Dodd —Yes, thank you very much. Thank you for your time.