A medical receptionist who blabbed about a couple's sexual health at a party has been fired - and a complaint referred to the Privacy Commissioner.
The woman was at a family gathering with extended family members, including a close friend of the couple in question.
Knowing they had visited the centre, the friend showed the receptionist a photo of the couple and asked why they had been there.
"The receptionist initially rebuffed the questions, explaining she could not discuss patient records because it breached patient privacy," the Privacy Commissioner said.
"At this point, she claimed she was pressured further to divulge details of the appointment. After swearing others to secrecy, the receptionist revealed the couple had been into the clinic months ago for a sexual health test."
After word of the embarrassing disclosure got back to the couple, the receptionist called them to apologise, admitting she had breached their privacy.
They complained to the Health and Disability Commissioner, who referred them to the Privacy Commission.
"The couple said there was no reasonable explanation as to why the receptionist would have known about the test, unless she had improperly accessed medical files," the commissioner said.
Their complaint said the incident had caused them "extreme humiliation and emotional distress".
In the medical centre's own investigation, the receptionist told her bosses she had come across the information in the patients' notes months earlier but could not remember why.
The medical centre told the Privacy Commissioner its electronic filing system for patients' notes did not record when a staff member looked at a file - only if they edited it.
Under rule 5 of the Health Information Privacy Code, a health agency that holds information must keep it safe from being accessed without authorisation.
The medical centre has now been informed of its obligations to secure records against "inappropriate employee browsing".
"We advised it would be unlikely to meet those standards if its systems did not record times when staff accessed patient records," the Privacy Commissioner said.
The commissioner also considered whether the medical centre was responsible for the privacy breach.
The centre argued it was not liable for its employee's actions. It had investigated the incident and fired the receptionist in question.
Staff had been made aware of the importance of keeping patient information confidential.
But the commissioner suggested the centre should make security safeguards in its electronic records system "more robust".
The Human Rights Tribunal would be the appropriate forum to determine whether the medical centre had a defence under the Privacy Act, the commissioner said.