NZ couple 'emotionally distressed' after receptionist disclosed their sexual health check-up

Woman, waiting room.
Woman, waiting room. Photo credit: Getty.

A couple has complained to the Privacy Commissioner after they discovered a medical centre receptionist had revealed their personal information regarding sexual health.

The receptionist, who is unidentified, had attended a large family gathering including a number of extended family members. The Privacy Commissioner says the receptionist began talking to another guest, who happened to be a close friend of the couple. 

The guest, who was aware of her friends' trip to the medical centre, questioned the receptionist about the reason for their visit. The receptionist rebuffed initial questions due to her obligation to retain patient privacy, but claims she was pressured by the guest into disclosing details of the appointment. 

The receptionist then revealed the couple had been to the clinic for a sexual health test, and swore the other guests to secrecy. Another guest subsequently informed the couple of the medical centre worker revealing their private information.

The receptionist admitted the privacy breach during an apologetic phone call with the couple. The complainants took the breach to the Health and Disability Commissioner, who referred the case to the Privacy Commissioner. 

"The couple said there was no reasonable explanation as to why the receptionist would have known about the test, unless she had improperly accessed medical files," says the Commissioner's case notes.

The couple claimed the disclosure of their private information to friends and acquaintances had caused extreme humiliation and emotional distress. 

Their case raised issues under rules 5 and 11 of the Health Information Privacy Code (HIPC). Rule 5 requires health agencies to protect health information by reasonable security safeguards, while 11 states information may not be disclosed unless the agency believes on reasonable grounds it is authorised by the person concerned.

The medical centre admitted the breach. The receptionist claimed to her employer she came across the information in the patient notes, but couldn't remember why. However, the patient management system only recorded a staff member editing a file, not accessing it.

Under section 4 of the Privacy Act, the actions of an employee are treated as the actions of the agency. However, the medical centre told the Commissioner they should not be held liable for the actions of the receptionist.

The receptionist has been dismissed.

The Privacy Commissioner recommended for the medical centre to make changes to its electronic records system.

The investigation has been discontinued as the couple failed to respond to follow-up emails from the Commissioner. They currently hold a certificate of investigation if they wish to continue the case.