Don't tell them I told you — Managing unsolicited patient information from third parties

You may receive opinions about your patient which are impossible to interrogate. Is the person offering the information being well-meaning or malicious? If managed poorly, you risk the loss of therapeutic rapport, as well as complaints from the patient, the information provider, or both.

“Dad’s actually an alcoholic. He shouldn’t be on the road. But he never tells you this stuff. He just says he’s great. Make sure you get his licence cancelled … and whatever you do, don’t tell him I told you this.”

Privacy law

Under the Commonwealth Privacy Act, health organisations should collect personal information (relevant to providing healthcare services) from the patient personally, or from third parties where the patient has consented, or where the patient would reasonably expect the information to be provided.

Where the patient is not the provider, has not consented, or would not reasonably expect the information to be provided, unless an exception applies, the information should be destroyed. Exceptions include information required by law or professional obligations; information kept or actioned so as to minimise a serious threat to life/health/safety or a missing person; investigating serious misconduct or unlawful activity; or information necessary for a legal claim.

The information provider

You don’t owe the information provider a duty of confidentiality – but if you store the information without their consent (using personal identifiers) you’re potentially breaching their privacy. Even deidentifying the information may be insufficient if the patient can still identify the source. The information provider may make a regulatory or privacy complaint, or they could be exposed to serious risk if their identity becomes known.

The therapeutic relationship

If you do tell the patient about the information and where it came from, therapeutic trust may be fractured once the patient discovers you have recorded unverified information about them in the records. Talking about them with a third party without their consent is not a breach of confidentiality if all you do is listen, but it may be perceived as a breach of trust.

If you don’t tell the patient, the information provider may later ‘confess’ to the patient about the discussion with you, leaving the patient to doubt your candour and honesty, and raise concerns about breach of privacy, confidentiality and trust.

Is the information legitimate?

Without being able to discuss the nature and source of the information with your patient, you can’t be sure the information is genuine. Storing unverified information in the patient records risks it being promulgated by other care providers, or being disclosed when you release records to other parties. Other providers and record recipients may inadvertently discuss the content with the patient.

Redacting information from the file (presuming your record system allows this at all) may be impossible if the information has been provided to other care providers and incorporated in their records and health documents.

Where to store the information

Storing the information can be problematic. Retrospectively demonstrating how you responded to the request can be difficult if you keep no records – but if unsolicited information is inappropriately stored in the records, it may be difficult to unwind the decision.

If storing the information in the patient record is not possible, then what are the options? Refusing to accept the information in the first place is ideal (with an explanation as to why). However, information may be sent to the practice and opened before the nature of the unconsented disclosure is understood. Returning the information, or destroying the document, is usually appropriate.

There may be matters where there are competing legal, ethical or professional reasons as to why the information should be both deleted and kept. Otherwise, you may have difficulties demonstrating why you refused to accept and act on the information. In the example above, how would you remember or prove the exchange at an inquest several years later, where the relative alleges that you refused to act on their driving safety concerns, leading to the death of the patient in an MVA? Determining a suitable location to store the information is problematic – it may be necessary to obtain medico-legal advice (and your MDO may store the document as part of that advice).

How to respond?

Prompt recognition and discussion about unsolicited information being provided by third parties allows you to set boundaries early. A workplace policy on unsolicited information empowers staff to manage these situations consistently. The information provider should be encouraged to share their concerns with the patient, or to attend a consultation with them. If the information is important enough, they may allow you to tell the patient about their concerns.

Some information must be acted on (e.g. mandatory reporting or a serious risk of harm) – even if this is against the instructions of the person providing the information.

Take-home message

Managing unsolicited information from third parties remains one of the most complex medico-legal issues we deal with. You may receive opinions about your patient which are impossible to interrogate. Is the person offering the information being well-meaning or malicious?

If managed poorly, you risk the loss of therapeutic rapport, as well as complaints from the patient, the information provider, or both.

In difficult situations, seek medico-legal advice early – before the information is stored in the record. Promising that you will accept and act on the information, without revealing the source, creates a very challenging professional, legal and ethical dilemma from which there may be no easy way back.