How to report a breach of patient confidentiality

The Department of Health and Aged Care is an agency of the Australian Public Service (APS), and all APS employees must follow the APS Code of Conduct. That means Health  and Aged Care employees must:

• behave honestly and with integrity in connection with APS employment
• act with care and diligence in connection with APS employment
• when acting in connection with APS employment, treat everyone with respect and courtesy, and without harassment
• when acting in connection with APS employment, comply with all applicable Australian laws
• comply with any lawful and reasonable direction given by someone in the employee's Agency who has authority to give the direction
• maintain appropriate confidentiality about dealings that the employee has with any Minister or Minister's member of staff
• take reasonable steps to avoid any conflict of interest (real or apparent) and disclose details of any material personal interest of the employee in connection with the employee's APS employment
• use Commonwealth resources in a proper manner and for a proper purpose
• not provide false or misleading information in response to a request for information that is made for official purposes in connection with the employee's APS employment
• not improperly use inside information or the employee's duties, status, power or authority to gain, or seek to gain, a benefit or an advantage for the employee or any other person; or to cause, or to seek to cause, detriment to the employee's Agency, the Commonwealth or any other person
• at all times behave in a way that upholds the APS Values and Employment Principles, and the integrity and good reputation of the employee's Agency and the APS
• while on duty overseas, at all times behave in a way that upholds the good reputation of Australia; and
• comply with any other conduct requirement that is prescribed by the regulations.

The code is set out in completion in section 13 of the Public Service Act 1999 (the Act).

Secretary’s procedures for determining breaches of the APS Code of Conduct

To accord with section 15(3) of the Act, the Secretary of the Department of Health and Aged Care has established procedures for determining whether a Health and Aged Care employee, or former employee, has breached the APS Code of Conduct. We also have established procedures for determining sanctions.

We have made these procedures available to accord with section 15(7) of the Act.

I, Glenys Beauchamp, Secretary of the Department of Health (‘the Department’), establish these procedures under subsection 15(3) of the Public Service Act 1999 (‘the Act’). These procedures commence on 10 January 2018.

You can lodge an information privacy complaint if you believe that the Department of Health has breached its obligations under the Information Privacy Act 2009 (Qld) (the Act) to comply with the:

• privacy principles including the National Privacy Principles, and/or
• conditions attached to a public interest approval granted under section 157 of the Act.

It’s best to make your privacy complaint as soon as you are aware that your privacy may have been breached. The earlier you tell us, the sooner we can act. Make sure you tell us what outcome you are seeking or the action you want us to take.

Hospital or Health Service privacy complaint

If your complaint is about the way a Hospital and Health Service (HHS) has dealt with your personal information, you will need to contact them directly.

Find the privacy contact for your HHS

Department of Health privacy complaint

Privacy complaints made to the Department of Health must:

• be in writing
• include an address so we can reply
• be about your personal information (not someone else)
• give specific detail about your concerns/issues with how the Department has handled your personal information.

In order to properly and efficiently respond to your privacy complaint you should ensure that your complaint contains sufficient information to enable the department to understand the nature of your complaint, the impact it has had on you and what outcome you are seeking.

Please attach copies of any documents you consider may assist the department to investigate your privacy complaint.

In the course of conducting the investigation, it may necessitate disclosing the nature of your privacy complaint and your identity to relevant business areas within the department and third parties. You can advise us that you do not wish for the department to do this, however, please be aware that this may mean the department cannot properly investigate and resolve the privacy complaint.

Your privacy complaint should be marked Private and Confidential and sent:

By post:

Principal Privacy OfficerPrivacy and Right to Information UnitDepartment of HealthGPO Box 48

BRISBANE QLD 4001

By email:

Responding to your privacy complaint

An acknowledgement letter or email will be sent to you within 5 business days of the receipt of the privacy complaint. To make sure your personal information is protected, we take precautions to verify the identity of complainants. Depending on the nature of your privacy complaint, we may request that you provide sufficient evidence of identity in order to progress with your complaint. If we require further information we will contact you.

We will then respond within 45 business days outlining our decision and reasons for this decision.

However, if your privacy complaint is complex or requires extensive work and consultation, we may not be able to respond within 45 business days. If this happens, we will notify of the delay in writing.

Anonymous privacy complaint

We will accept and process anonymous privacy complaints. However, an anonymous privacy complaint may be difficult to deal with and a response may be unable to be provided.

Withdraw a privacy complaint

If you wish to withdraw a privacy complaint, it must be in writing. We may still continue with the assessment if the privacy complaint involves a serious or significant issue which requires further management.

Further action

If you are not satisfied with our response, or have not received a response, and at least 45 business days have passed since the privacy complaint was made in writing to the Department of Health, you can refer the privacy complaint to the Office of the Information Commissioner (OIC) Queensland.

This can be done through the online complaints form or in person, post, email or fax

What happens when a breach of patient confidentiality occurs? Patient confidentiality is breached all the time, often by accident, and nurses must know what to do when it happens.

Check out our guide to addressing a breach of patient confidentiality as a nurse. 

How Often is There a Breach of Patient Confidentiality?

In a study published by BMC Med Ethics, researchers conducted 33,157 hours of observation in clinical environments and found that a breach of patient confidentiality occurred every 62.5 hours. 

That's an average of around 2.5 breaches each week within the 1197-bed university hospital where the study took place.

While healthcare facilities typically require staff to go through annual training, and patient confidentiality is mandated by federal law, it's nearly impossible in the fast-paced environment of today's healthcare world to ensure zero breaches occur. 

That's why hospitals and other facilities have procedures in place for addressing privacy violations.

Patient Confidentiality Laws Require Notification of Breaches

HIPAA laws require that breaches in patient confidentiality are reported. For nurses, that typically means reporting a breach — whether you or a colleague made it — to your nurse manager or a facility compliance officer. 

Reporting is required whether or not the breach was an accident. Patient confidentiality laws may require that the breach be reported outside of the facility, and someone usually has to notify the patient or patients impacted by the breach.

Note that the nurse should not notify the patient about the breach. Most hospitals have a compliance or legal department that deals with issues such as a breach of confidentiality by nursing staff.

"Nurses shouldn't notify patients themselves," says former healthcare compliance officer Carol Johnson. "There probably needs to be an investigation. Someone in compliance or legal — often along with executive leadership — may decide how to handle the notifications."

Patient Confidentiality: Nursing Actions After a Breach

So, what should you do if you accidentally breach a patient's confidentiality or see someone else do so inadvertently or willfully?

1. Take immediate action to stop the breach if applicable

It may be appropriate to take an immediate step to ensure confidentiality isn't further breached. For example, if a coworker is discussing a patient with you and you don't have a professional reason to know about the case, remind them that patient confidentiality laws are in play and they should stop discussing the patient with you. 

In the study published by BMC Med Ethics, around 54 percent of the observed breaches occurred as a result of consultation and disclosure of personal data — in short, they occurred when staff discussed patients with each other inappropriately.

2. Report the breach of patient confidentiality

"Nurses should pay attention to compliance training so they know what steps their facility wants them to take if they see a violation," says Johnson. "It's safe to say nurses should never just ignore the breach. That can make them complicit."

Johnson says to report the breach of patient confidentiality up the chain of command. It's usually appropriate for nurses to report to nurse supervisors or managers; they might also make a report to a department head. 

If you're uncomfortable speaking to someone in your department — of if that person is the cause of the breach — speak to someone in the compliance department.

"Many facilities have special hotlines, internet portals, or email addresses for reporting issues," says Johnson.

"Some compliance reporting options even include anonymity for certain cases, but nurses shouldn't worry about their report being publicized. Compliance staff is usually trained to hold reports and investigations confidential."

What Happens when a Nurse Breaches Patient Confidentiality?

Cases are usually reviewed individually, and consequences can range from being talked to being let go. The severity of the reprimand usually depends on the size of the breach, the factors that lead up to it, and the intent of the nurse.

For example, a nurse in one facility reportedly reviewed the records of a patient who was also her neighbor. She had no reason to look at the records, but did so anyway. 

Furthermore, she then confronted the patient in a waiting room to ask more about the procedure the patient was having. After an investigation, the nurse was fired because the facility involved felt this was a very severe breach of patient privacy.

"Nurses shouldn't worry they're going to get fired if they're doing their jobs as required and accidentally cause a breach," Johnson says. "Most hospitals don't jump automatically to the termination."

In fact, coming forward immediately with a report can mean a more positive outcome for nurses who make accidental breaches. Immediate reporting gives a facility an opportunity to correct an error before it becomes a bigger issue.

Nurses who make accidental breaches may be required to attend additional training. They could also face disciplinary action such as being written up or even suspended if the accidental breach was a result of a careless error or not following compliance policies appropriately.

The bottom line is that a breach of patient confidentiality is a serious occurrence in any healthcare setting. As a nurse, you are obligated to take care of the patient and maintain his or her privacy, and you can't afford to ignore a breach. Whether or not you caused it, reporting it is usually the best course of action.