Disclosing patient images: the importance of confidentiality
24 November 2022
The issue of patient confidentiality should always be at the forefront of a doctor’s mind. This is especially so when considering whether a patient’s clinical images may be used for a purpose outside of the doctor-patient treating relationship. With the growing role of the Internet and social media in our lives, it is important to remain vigilant of the regulations governing the disclosure of patient images.
Pursuant to the AMA Guide to Clinical Images, clinical images fall within the category of ‘health information’ and are therefore subject to the same confidentiality standards as any other health records. Images should only be taken with consent, must be stored securely and should only be shared with express up-to-date consent or under a legal obligation. As with any other health information, clinical images should not be shared online without the appropriate consent of patients. The dangers of disclosing patient images online without consent were explored in a recent legal case.
Between 2016 and 2019, a doctor posted a range of gruesome images, confidential patient information and abhorrent messages on social media and on an Internet forum. Information published included images of the doctor at work, of his patients, of his patients’ clinical records and comments around his treatment of patients. Some of these posts contained information enabling patients to be identified.
Specifically, the doctor posted numerous clinical images of patients to social media. The images uploaded included patients’ X-rays, CT scan, injuries and clinical records that may have enabled these patients to be identified. The images were accompanied by commentary of the doctor’s diagnoses and treatment of these patients.
Following complaints, the doctor was suspended by the Medical Board of Australia under section 156 of the Health Practitioner Regulation National Law (the National Law) in 2019. 
The matter was referred to the Victorian Civil and Administrative Review Tribunal (the Tribunal) and the doctor accepted that his actions were ‘utterly unacceptable’. The Tribunal found that the doctor engaged in conduct amounting to professional misconduct.  The Tribunal considered that the doctor had acted in a manner which ‘undermines the good standing of the profession and is at odds with community expectations’ and that his conduct fell ‘substantially below the standard reasonably expected of a registered health practitioner of an equivalent level of training or experience.’ 
The Tribunal had regard to the ongoing risk posed by the doctor and ultimately cancelled his registration. The doctor also received a formal reprimand and was disqualified from applying for registration until December 2023, totalling a mandatory 4.5 years out of practice. The Tribunal deemed it appropriate to cancel the doctor’s registration in order to complete his journey of rehabilitation and demonstrate that he could again be a fit and proper person to resume practising in the medical profession.
In the allegations against the doctor, the Medical Board referred to the Good Medical Practice: A Code of Conduct for Doctors in Australia (2014) which provides that:
- A good doctor-patient partnership requires high standards of professional conduct, and involves protecting patients’ privacy and right to confidentiality, unless release of information is required by law or by public-interest considerations (cl 3.2.3);
- Patients have a right to expect that doctors and their staff will hold information about them in confidence (cl 3.4);
- Good medical practice involves:
- Treating information about patients as confidential (cl 3.4.1);
- Using consent processes, including forms if required, for the release and exchange of health information (cl 3.4.3); and
- Ensuring that your use of social media is consistent with your ethical and legal obligations to protect patient confidentiality and privacy (cl 3.4.5). 
The Medical Board also relied on its Social Media Policy (March 2014) which relevantly provides:
- that in using social media, just as with all aspects of professional behaviour, health practitioners should be aware of their obligations under the National Law, their Board's Code of Conduct…and other relevant legislation, such as privacy legislation (p 4);
- the Code of Conduct contains guidance about the required standards of professional behaviour, which apply to registered health practitioners whether they are interacting in person or online (cl 1);
- the Code of Conduct also articulates standards of professional conduct in relation to privacy and confidentiality of patient information, including when using social media (cl 1); and
- for example, posting unauthorised photographs of patients in any medium is a breach of the patient's privacy and confidentiality, including on a personal Facebook site or group even if the privacy settings are set at the highest setting (cl 1). 
Key takeaways from the case
The case serves as a reminder of the importance of confidentiality in the doctor-patient relationship. Given the centrality of trust and patient safety, doctors must ensure that patient health information is kept private and must use appropriate consent mechanisms if disclosure is required. Moreover, doctors should remain vigilant of patient privacy when using social media to avoid disclosure of personal information – even when privacy settings are at the highest setting and a personal account is used. As such, while the disclosures made by the doctor were particularly objectionable in the context of the accompanying abhorrent commentary, this case is a useful reminder of the dangers of intentional or unintentional disclosures of patient images online.
Permitted uses of patient images
There are some situations when disclosure of patient images is permitted. The disclosure of patient images for the purpose of providing a health service is permissible with the patient’s express up-to-date consent. The disclosure of health information without patient consent may be permissible in medical emergencies or where required by law.  Clinical or epidemiological research may also involve the use of patient images without consent – this disclosure should be limited to the minimum amount necessary for the research and the patient’s identity must be protected.  This may include the de-identification of clinical images before they are used in research. Doctors should also ensure that medical research is conducted in accordance with protocols approved by an ethics committee and that the recipient of the images will not use the information for any other purpose. 
In any of the above situations, doctors should ensure patients are aware of the limits to their confidentiality at the outset of consultations and should limit any disclosure as far as practicable.
The decision from this case acts as a useful reminder of situations in which the disclosure of patient health information is prohibited. To comply with regulations, doctors should ensure that patient images are treated with the same degree of confidentiality as any other health information. Patient images may be disclosed without consent only in limited circumstances - it is useful to keep detailed records of any discussion with patients regarding confidentiality and any possible disclosure of their images. These discussions will ensure patients retain a sufficient degree of control over the use and disclosure of their health information.
By Anjali Woodford, Partner, and Estelle Sutherland, Paralegal
 AMA Guide to Clinical Images (2021).
 Health Practitioner Regulation National Law (Victoria) Act 2009 s 156.
 Ibid s 5.
 Medical Board AHPRA, Good Medical Practice: a Code of Conduct for Doctors in Australia (2014). Note that an updated version of this policy was published in October 2020.
 Medical Board AHPRA, Social Media Policy (2014). Note that this policy was retired in November 2019. The Board now relies on Social Media: How to Meet Your Obligations under the National Law (2019).
 See AMA Guidelines for Doctors on Disclosing Medical Records to Third Parties (2010) cl 4, 5.
 See e.g. Privacy Act 1988 (Cth) s 16B.
 AMA Guidelines for Doctors on Disclosing Medical Records to Third Parties (2010) cl 22; Privacy Act 1988 (Cth) s 16B(3).