Patient Privacy is Not Optional: Lessons from a Case of Improper Access to Medical Records

Protecting patient privacy is one of the foundational obligations of medical practice in Australia. While most doctors understand this in principle, a recent case involving a junior doctor in the ACT serves as a powerful reminder of what happens when this responsibility is breached.

When Personal and Professional Lines Are Crossed

In 2021, a junior doctor met a female colleague shortly before they both commenced work at Calvary Public Hospital (now North Canberra Hospital). After a brief personal interaction, including a coffee meeting and messages expressing interest, the female doctor requested no further contact. The situation escalated when she later reported her car mirror had been vandalised—an incident she associated with the male doctor after he posted an image on social media holding a similar car mirror.

This prompted Canberra Health Services to investigate, revealing that the doctor had accessed her private medical records without clinical justification. This included viewing pathology results and clinical notes. Initially denying the allegations, the doctor later admitted it was “something that quite possibly [he] may have done” as a result of “underlying anger and resentment” after the personal relationship ended.

The ACT Civil and Administrative Tribunal deemed the act of accessing the records—and then lying about it—to be professional misconduct. The doctor was suspended for 14 months under emergency powers by the Medical Board of Australia. Although ultimately reprimanded (rather than deregistered), the tribunal made clear that this breach of trust and confidentiality was serious and warranted formal sanction.

Why This Matters: The Broader Principles at Stake

1. Privacy is a Legal and Ethical Obligation

According to the Australian Medical Association (AMA) Position Statement on Data Governance and Patient Privacy (1), patients are the owners of their health data. Doctors are merely custodians, and may only access data for legitimate clinical reasons. Unauthorised access—even out of curiosity, concern, or personal interest—is a breach of both professional ethics and potentially privacy legislation.

The AMA further emphasises that:

• Patient records must not be accessed without a legitimate clinical need.

• Custodians of health data must act within the bounds of law and ethics.

• Health services must ensure that access controls, audit trails, and accountability measures are in place to prevent and detect misuse of patient information.
  (AMA, 2022 Position Statement: Data Governance and Patient Privacy in Healthcare)

2. Breach of Privacy is Professional Misconduct

The Medical Board of Australia’s Code of Conduct outlines that accessing medical records without justification is a clear breach of good medical practice:

• Clause 4.4.3: Doctors must only access an individual’s medical record when there is a legitimate need.

• Clause 2.1: Doctors are expected to be honest, ethical and trustworthy.

• Clause 10.2.1: Professional boundaries must be maintained.

• Clause 10.5.2: Records must be protected from unauthorised access.

• Clause 8.3.3: Colleagues and employers have a duty to protect patients from inappropriate conduct.

This code makes it clear: the misuse of health data—especially outside a direct doctor-patient relationship—is unacceptable and will likely attract regulatory action.

What Doctors Need to Know

This case is about an inappropriate blending of personal grievance and professional access—an error in judgement that had real consequences for both parties. It’s a cautionary tale for all doctors, especially those in early career stages or working in smaller teams where access to digital records may feel casual or unchecked.

Whether reviewing a friend's imaging, looking up a well-known patient out of curiosity, or searching records for someone you've met socially—if it’s not part of your clinical role, you must not access it.

Takeaways for Practice

• Never access a patient’s health information unless you are directly involved in their care.

• Be aware that all access is auditable, and inappropriate access may be detected even months later.

• Maintain clear professional boundaries—even outside of clinical interactions.

• Understand that violations of privacy can lead to suspension, investigation, and long-term impacts on your registration.

• If in doubt, ask yourself: Would I be comfortable justifying this access in front of a tribunal?

Conclusion

Protecting patient privacy is more than a policy—it is a core trust upon which the medical profession is built. The standards are clear, and the expectations are high. As this case demonstrates, even a momentary lapse in judgement can have lasting professional consequences.

References

1. Australian Medical Association (2022). Data Governance and Patient Privacy in Healthcare: Position Statement. Retrieved from: https://www.ama.com.au/articles/data-governance-and-patient-privacy-healthcare(opens in a new tab)

2. Medical Board of Australia (2020). Good Medical Practice: A Code of Conduct for Doctors in Australia. Retrieved from: https://www.medicalboard.gov.au/Codes-Guidelines-Policies/Code-of-conduct.aspx(opens in a new tab)

3. ACT Civil and Administrative Tribunal case details as reported publicly in 2024 media summaries (referenced content redacted for privacy).