Mental Health Minister Emma Davidson has named the ACT's Australian Nursing Midwifery Federation (ANMF) branch as the recipient of private patient documents sent by Canberra Health Services (CHS) staff, in an alleged breach of privacy laws.
CHS revealed earlier this week that staff had 'deliberately' sent the clinical records of 13 mental health patients to an "industrial partner", but had refused to name it until now.
The records of 13 patients were sent to the branch over a period of years, in what CHS chief executive Dave Peffer called a "serious breach".
On Wednesday, he confirmed that one Canberra Health Services staff member had been sacked over the incident and two others stood down, pending an investigation.
Alleged breach first detected by CHS in early February
On Thursday, Ms Davidson told the ACT Legislative Assembly the ACT branch of the nursing union was the recipient of the files.
She said she had waited until the patients were informed of the alleged breach before revealing the recipient's identity.
"When a breach of patient privacy occurs, it is important that the patients involved are foremost in our minds in how we respond," she said.
Ms Davidson said she first became aware of the potential breach in early February, when it was discovered by CHS.
"An audit was undertaken to determine the breadth of the breach which uncovered significant and sustained breaches of the Health Records Privacy and Access Act 1997," she said.
"On the 28th of February, I emailed the CEO of CHS and the ANMF ACT branch secretary to express my concerns about the impact on patients and on staff who are trying to create a safe workplace of high-quality care."
Ms Davidson said she asked both Mr Peffer and the head of the ANMF to meet with her.
"Within hours I received a reply from the CEO of CHS suggesting times that would suit for a meeting. On 1 March I received a letter from a lawyer engaged by ANMF requesting that all future correspondence be directed to them instead of to ANMF and declining my request for a meeting," she said.
"As the matter is being considered by external regulatory bodies, I cannot provide any further information and have been reassured that CHS will provide me with updates or other information as it comes to hand."
Staff can share patient information if they have safety concerns: union
ANMF ACT secretary Matthew Daniel said the allegations raised with the union in February "came out of the blue" for them.
"We've had no contact from the AFP or any other authorities," Mr Daniel said.
"The ANMF and CHS have had a long relationship in relation to the lawful disclosure of patient information.
"It's been practice for as long as I've been in this organisation – and before."
Mr Daniel points to CHS's own Information Privacy Policy, which states exceptions are available to allow disclosure of individual's personal information, including where staff "reasonably believe that collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety".
"It's lawful for nurses and midwives to engage with their union where they have patient safety concerns," Mr Daniel said.
"Under the legislation and under CHS's own policy, nurses can disclose information to the ANMF where there's serious risk to patients, and they can do that without consent.
"It's an important role that we play that members can come to us and lawfully disclose information so that we can disclose their concerns about patient safety and so we can advocate on their behalf.
"I think it's evident the range of issues the ANMF has raised with patient safety the need for ratios for safe staffing levels and all sorts of other safety issues that we've raised over time rely on us having our members being able to use and lawfully disclose that information."
Mr Daniel said the ANMF had processes for protecting information, including confidentiality agreements with their staff, and store the information according to government regulations and compliance.
He expressed concerns calling into question the legality of sharing any patient information would "create great uncertainty" for nurses and midwives when considering disclosing information about patient safety concerns in future.
"This might mean nurses and midwives will not raise patient safety issues with us. Who do they turn to?" he said.
"They might go to the Health Services Commissioner, but in many cases we're their first point of call because we can advocate on their behalf.
"We're not sure of CHS's motivation in terms of its change to the interpretation of [the policy and law]. It certainly means if this interpretation is applied equally, to everyone – current executives and directors of CHS will need to be stood aside pending investigation."
Information shared did not reach threshold: CHS
However, Canberra Health Services chief executive Dave Peffer said that, while there were exceptions to sharing personal information, the information shared in the alleged breach did not meet this threshold.
Mr Peffer pointed to examples such as when clinicians were responding to a mental health patient with escalated behaviours in partnership with police or paramedics.
He also said there were exceptions where paediatric teams needed to make disclosures to child protection.
"There are exceptions that exist as to where the information can be shared, that's true," he said.
"Within the act, it does provide for circumstances where there is a significant risk to life or health that information can be disclosed without the consent of the patient.
"It is subject to the investigation, but we wouldn't be taking the action if we thought the threshold had been met."
'Raises more questions now than it answers'
Canberra Liberals MLA Jeremy Hanson said the ANMF being revealed as the recipient of the documents raised questions around the extent of the alleged breach.
"I think everyone would be very disturbed to find out that it's the nurses' union that is the alleged perpetrator," he said.
"It raises more questions now than it answers. In particular, is this more extensive across the health service?
"[Has it] just happened in mental health, or given this is the nurses' union, is this something in terms of privacy and records that's happened elsewhere in the health service? And is this more extensive across government? Are there other unions that have been involved in providing data or receiving data?"
Mr Hanson said would urge the Integrity Commissioner to look into how far the alleged breach went within the mental health unit and beyond.
"I'll be writing to the Integrity Commissioner and asking that as he investigates the specific aspects of the breach that's occurred within the mental health unit to see whether it's more extensive across the whole of Canberra Hospital and Canberra Health Services, and indeed elsewhere in government."
Staff reminded of privacy laws
Ms Davidson said support was being provided to the patients affected, and CHS was working with staff to ensure all were aware of the laws around patient privacy.
Staff were sent an email of March 6 reminding them of the rules and directing them to training materials.
"It also acknowledged the importance of complying with relevant obligations and the trust that our community and patients place in the health service when sharing sensitive personal information," Ms Davidson said.
"As part of industry registration, nurses, doctors and allied health professionals undertake ... training on the handling of personal health information, which includes when they can be accessed, who can access them, how they can be disseminated, how to securely store them and/or destroy them and the privacy principles that underpin these decisions."
Yesterday, while announcing that three staff members had faced consequences over the alleged breach, Mr Peffer also apologised to the mental health patients affected.
"When something like this happens, we move as quickly as we can," Mr Peffer said.
"Within our organisation, we take this incredibly seriously.
"It has sent a shock wave through our service."
