INSIGHTS: Privacy, legal liability and the pharmacist

December 2, 2013

What were the legal implications of allowing a third party access to a pharmacy’s computer to identify patients who may benefit from the Home Medicines Review (HMR) program?

Meridian Lawyers Managing Principal, Paul Baker, says that under no circumstances should a third party be allowed access to a pharmacy computer or for that matter any dispensary or business records that may identify a patient or a patient’s medication history without the patient’s express consent.

I am aware of instances where pharmacists have been asked to review dispensing data to identify patients on multiple medications who may benefit from the HMR program. My understanding is that once these patients have been identified, contact is made with the relevant general practitioner to place the patient on the program. While the thinking behind this may have health benefits for patients, such conduct is in flagrant breach of the law including the Privacy Act 1988 (Cth) and the Health Records Act 2001 (VIC). Significant penalties apply for such breaches and my view is that there would be the potential for civil action to be brought against the pharmacist for breach of confidentiality as well as disciplinary action by the professional body (i.e. the Pharmacy Council).

I should also add that even if this information was obtained by a pharmacist or a pharmacy employee by contacting the general practitioner or using that information in any way without the patient’s consent, it also constitutes a breach of the legislation and gives rise to the same legal consequences applying to third party access.

Pharmacists should also be aware that insurance protection is unlikely in these circumstances given the conduct involves what is essentially tantamount to a criminal act.

Over the past decade there have been significant developments in the law concerning privacy, resulting in strict obligations on health professionals concerning patient confidentiality. As such the law now stringently regulates the collection, storage, use, access, disclosure and destruction of a patient’s personal information. The laws reflect the general principle that an individual has a right to privacy and that no third party should be entitled to access any personal information, including pharmacy records, without the express consent of the patient/s.

There are now complementary Commonwealth and State privacy laws that apply to pharmacists. If a pharmacist breaches the legislation a patient can complain to either the Commonwealth Privacy Commissioner or the Health Services Commissioner. As indicated the Commissioners are able to impose significant penalties on offenders and their investigation will review the nature of the breach, the frequency and what action has flowed as a result of access to such information.

In my view allowing third party access to pharmacy records without patient consent where not only the names of the patients are accessed but also where full medication histories and general practitioner contact details are accessed, is at the higher end of the severity scale.

Under the Victorian legislation where a breach is established and a compliance notice issued, a pharmacist’s failure to comply with that notice can result in a fine of up to $300,000.

My view is that such conduct is likely to be deemed professional misconduct, which also exposes a pharmacist to various sanctions including the potential for an additional financial penalty. So this is certainly conduct that is contrary to the law and gives rise to serious potential ramifications for an offending pharmacist.