Close search

Search the handbook

  • 20 Medical and Mental Health
  • Medical Treatment
  • Access to Information and Confidentiality
handbook symbol Tasmanian Legal

Access to Information and Confidentiality

Access to Information

Australian privacy laws give a general right of access to a person to access their own medical information. If a person’s My Health record doesn’t contain sufficient information for their need, they can request information from their health care provider.

If there is a dispute between the health care provider and the patient, in Tasmania, the Health Complaints Commissioner deals with any complaints in relation to access to information.

Access to medical information can only be refused in some situations  if:

  • it may threaten your or someone else’s life, health or safety
  • it may impact someone else’s privacy
  • giving access would be unlawful

Requests should preferably be in writing, giving as many details as possible to help identify the records.

In the case of court actions, the court can order that medical records be produced. However, the patient is likely to need the records much earlier than this so that lawyers can decide whether or not legal action would have any chance of success. An uncooperative individual or institution can make life very difficult for a patient who wants to take action over harm suffered while in their care.


While patients have some legal right to expect that information held by a hospital or doctor will not be disclosed to others without their consent, that right is difficult to enforce.

The widest protection for the patient, at least as far as information held by doctors is concerned, comes from the rules contained in the Code of Ethics published by the Australian Medical Association. These rules are not laws. If a patient suffers as a result of breach of the code, it may be evidence of negligence. The patient cannot, however, sue for breach of confidence purely on the ground that an ethical rule has been broken. See: Australian Medical Association Code of Ethics for a copy of the Code of Ethics.

In order to sue a hospital or doctor because of a breach of confidence, the patient must have suffered some harm as a result of the breach. Harm in this sense might be, for example, the loss of a job because the employer found out about a medical condition. Hurt feelings or pride do not usually give rise to legal rights. If loss has been suffered, the patient may, according to the circumstances, sue on the grounds of breach of contract, negligence and possible breach of an equitable duty of confidence.

Where a patient is paying for health services, a contract exists between the patient and care provider. A basic term of that contract (implied, even though it is rarely expressed) is that the patient’s secrets will not be disclosed without their consent.

The patient’s consent may, of course, be implied in some situations. For example, information given to allied health professionals or other hospital staff who ‘need to know’, would have the patient’s implied consent.

In other situations, information is given because it is required by law. A doctor or hospital could not be sued for breach of contract if records are subpoenaed, or if there is a legal obligation to notify some authority. For example, doctors must notify the Health Department if their patients have certain infectious diseases. They are also under a duty to report cases of known or suspected child abuse. It may be that a patient’s consent would be implied in the case of information given to relatives, but not if the patient has expressly said they don’t want relatives to know. Relatives, even ‘next-of-kin’, have no right to demand information about the patient, unless they are the parent of a child patient, or a patient’s legal guardian. This restriction extends to wives or husbands who may be denied access to ‘sensitive’ information.

In the case of children and certain mentally ill or intellectually disabled patients, the contract is between the doctor or hospital and the person who arranged the treatment. It is therefore that person’s consent which is needed for any disclosure.

An equitable duty of confidentiality may exist in cases where there is no contract (patients in public hospitals probably do not have a contract). All doctors and allied health professionals with access to information about the patient are probably subject to this duty. There are no cases directly on the point, and the law is not clear in this area. A patient would probably be able to obtain an injunction to prevent disclosure of such information except to hospital staff who ‘need to know’.

Negligence is a possible cause of action for breach of confidentiality. A patient who had suffered some harm could claim negligence if it could be proved that the risk of harm ought to have been foreseen by the person who, having a duty of care toward the patient, made the disclosure. It is in such a situation that the Code of Ethics would prove useful in demonstrating lack of due care.

All of these actions are expensive, time consuming and without any real guarantee of success for the patient concerned. They provide inadequate protection for the patient who has suffered, or could suffer, real loss as a result of disclosure of information and they provide no protection for those who merely want to retain their privacy.

Most health professionals are quite ethical when it comes to confidentiality. However, those cases where abuses do occur tend to have such severe consequences for the patient that there is a good argument for new laws to regulate information practices.

Page last updated 27/02/2022

Previous Section Abortion/Termination of Pregnancy