2006 - Complaint Case Note 21

View printable version of this page

Case Citation: 

V v Health Service Provider [2006] PrivCmrA 21

Subject Heading:

Loss of a medical record by a health service provider.

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth).

Facts:

A complaint was made to the health service provider by a parent (the complainant’s representative) on behalf of their teenage child (the complainant). The complaint concerned the health service provider’s loss of the complainant’s medical record, dating from their birth.  The health service provider had twice conducted a search of its current records, as well as its off-site archived records, but was unable to locate the complainant’s medical record. The health service provider advised the complainant’s representative that it was likely that the complainant’s medical record had been misfiled. The health service provider apologised, and advised that it had attempted to reconstruct the medical record using information that was available electronically, or available from other originating sources. The complainant’s representative was dissatisfied with the action taken by the health service provider, and wrote to the Privacy Commissioner to complain about the matter.

Issues:

National Privacy Principle 4.1 requires that an organisation take reasonable steps to protect the personal information it holds from misuse, loss and from unauthorised access, modification or disclosure. 

The issue before the Commissioner was how the loss of the complainant’s medical record occurred, and whether the policies and procedures the health service provider had in place to manage personal information were sufficient to meet the requirements of National Privacy Principle 4.1. The Commissioner also considered whether the health service provider had taken all reasonable steps to locate the missing medical record.  

Outcome:

The Commissioner made preliminary enquiries of the respondent, under section 42 of the Privacy Act. 

In particular, the Commissioner sought information relating to the health service provider’s hard copy and electronic record management systems, an outline of the policies and procedures in place to ensure compliance with National Privacy Principle 4.1, and the circumstances surrounding the loss of the medical record. 

The health service provider advised that it maintained around 100 000 medical records both on and off-site, and supplied the Commissioner with details of its record management system for patient records. The health service provider confirmed that it had undertaken a comprehensive search for the complainant’s medical record, both on and off-site, but had failed to locate it. It stated that it could not fully account for the circumstances surrounding the loss of the medical record, however it believed it had been misfiled as a result of human error. 

The Commissioner was of the view that the health service provider’s record management policy, which included access controls, physical security measures and storage, archiving and shredding protocol, was reasonable, and that it appeared that the misplacement of the medical record was the result of human error and not the result of a systemic procedural problem on the part of the health service provider. 

The Commissioner also noted that in this instance, where the health service provider’s record management practices had failed, the health service provider had made a significant effort to locate the records and then to reconstruct the medical record as comprehensively as possible. The Commissioner formed the view that, in taking these steps, the health service provider had adequately dealt with the complaint. In the absence of contrary submissions from the complainant’s representative, the Commissioner closed the complaint under section 41(2)(a) of the Privacy Act. 

OFFICE OF THE PRIVACY COMMISSIONER
August 2006