Criterion4.2.1–ConfidentialityandPrivacyofHealthInformation

PracticePolicy–PracticePrivacyPolicy

ThispracticeisboundbytheFederalPrivacyAct(1988)andAustralianPrivacyPrinciples(APPs),andalsocomplieswiththeVictorianHealthRecordsAct(2001).

‘Personalinformation’isinformationthatidentifiesyouorcouldreasonablyidentifyyou.‘Personalhealthinformation’aparticularsubsetofpersonalinformationcanincludeanyinformationcollectedandheldtoprovideahealthservice.

Thisinformationincludesmedicaldetails,familyinformation,name,address,employmentandotherdemographicdata,pastmedicalandsocialhistory,currenthealthissuesandfuturemedicalcare,Medicarenumber,accountsdetailsandanyhealthinformationsuchasamedicalorpersonalopinionaboutaperson’shealth,disabilityorhealthstatus.

Itincludestheformalmedicalrecordwhetherwrittenorelectronicandinformationheldorrecordedonanyothermediumegletter,fax,electronicallyorinformationconveyedverbally.

OurpracticehasadesignatedpersonKellieAdamwithprimaryresponsibilityforthepractice’selectronicsystems,computersecurityandadherencetoprotocolsasoutlinedinourcomputerinformationsecuritypolicy(Criterion4.2.2).Thisresponsibilityisdocumentedinthepositiondescription.Tasksmaybedelegatedtoothersandthispersonworksinconsultationwiththeprivacyofficer.

Oursecuritypoliciesandproceduresregardingtheconfidentialityofpatienthealthrecordsandinformationaredocumentedandourpracticeteamareinformedabouttheseatinductionandwhenupdatesorchangesoccur.

Thepracticeteamcandescribehowwecorrectlyidentifyourpatientsusing3patientidentifiers,name,dateofbirth,addressorgendertoascertainwehavethecorrectpatientrecordbeforeenteringoractioninganythingfromthatrecord.

Foreachpatientwehaveanindividualpatienthealthrecord,electroniccontainingallclinicalinformationheldbyourpracticerelatingtothatpatient.Thepracticeensurestheprotectionofallinformationcontainedtherein.Ourpatienthealthrecordscanbeaccessedbyanappropriateteammemberwhenrequired.Wealsoensureinformationheldaboutthepatientindifferentrecords(egataresidentialagedcarefacility)isavailablewhenrequired.

PracticeProcedure–PracticePrivacyPolicy

Doctors,alliedhealthpractitionersandallotherstaffandcontractorsassociatedwiththispracticehavearesponsibilitytomaintaintheprivacyofpersonalhealthinformationandrelatedfinancialinformation.Theprivacyofthisinformationiseverypatient’sright.

Themaintenanceofprivacyrequiresthatanyinformationregardingindividualpatients,includingstaffmemberswhomaybepatients,maynotbedisclosedeitherverbally,inwriting,inelectronicform,bycopyingeitheratthepracticeoroutsideit,duringoroutsideworkhours,exceptforstrictlyauthorisedusewithinthepatientcarecontextatthepracticeoraslegallydirected.

Therearenodegreesofprivacy,allpatientinformationmustbeconsideredprivateandconfidential,eventhatwhichisseenorheardandthereforeisnottobedisclosedtofamily,friends,stafforotherswithoutthepatient’sapproval.Sometimesdetailsaboutaperson’smedicalhistoryorothercontextualinformationsuchasdetailsofanappointmentcanidentifythem,evenifnonameisattachedtothatinformationandassuchitmustbeprotectedunderthePrivacyAct.

Anyinformationgiventounauthorisedpersonnelwillresultindisciplinaryactionandpossibledismissal.Eachstaffmemberisboundbyhis/herprivacyclausecontainedwiththeemploymentagreementwhichissigneduponcommencementofemploymentatthispractice.

Personalhealthinformationshouldbekeptwherestaffsupervisioniseasilyprovidedandkeptoutofviewandaccessbythepublicegnotleftexposedonthereceptiondesk,inwaitingroomorotherpublicareasorleftunattendedinconsultingortreatmentrooms.

PracticecomputersandserverscomplywiththeRACGPcomputersecuritychecklistandwehaveasoundbackupsystemandacontingencyplantoprotectthepracticefromlossofdata(SeeCriterion4.2.2–Computerinformationsecurity).

Careshouldbetakenthatthegeneralpubliccannotseeoraccesscomputerscreensthatdisplayinformationaboutotherindividuals.Tominimisetheriskautomatedscreensaversshouldbeengaged.

Membersofthepracticeteamhavedifferentlevelsofaccesstopatienthealthinformation(SeeCriterion4.2.2–Computerinformationsecurity).Toprotectthesecurityofhealthinformation,GPsandotherpracticestaffdonotgivetheircomputerpasswordstoothersintheteam.

Receptionandotherpracticestaffshouldbeawarethatconversationsinthemainreceptionareacanoftenbeoverheardinthewaitingroomandassuchstaffshouldavoiddiscussingconfidentialandsensitivepatientinformationinthisarea.

Wheneversensitivedocumentationisdiscardedthepracticeusesanappropriatemethodofdestructionshreddingandsecuritybinorcomputerdrive,memorysticksetcarereformatted.

Correspondence

Electronicinformationistransmittedoverthepublicnetworkinanencryptedformatusingsecuremessagingsoftware.Wheremedicalinformationissentbypost,theuseofsecurepostageoracourierserviceisdetermineonacasebycasebasis.

Incomingpatientcorrespondenceanddiagnosticresultsareopeningbyadesignatedstaffmember.

Itemsforcollectionorpostageareleftinasecureareanotinviewofthepublic.

Facsimile

Facsimile,printersandotherelectroniccommunicationdevicesinthepracticearelocatedinareasthatareonlyaccessibletothegeneralpractitionersandotherauthorisedstaff.Faxingispointtopointandwillthereforeusuallyonlybetransmittedtoonelocation.

Allfaxescontainingconfidentialinformationaresenttofaxnumbersensuringtherecipientisthedesignatedreceiver.

• Confidentialinformationsentbyfaxhasdate,patientname,descriptionanddestinationrecordedinalogontheFujiXeroxmachine.

• Write“Confidential”onthefaxcoversheet• CheckthenumberdialledbeforepressingSEND• Keepthetransmissionreportproducedbythefaxasevidencethatthefaxwassent• Alsoconfirmthecorrectfaxnumberonthereport.

Faxesreceivedaremanagedaccordingtoincomingcorrespondenceprotocols.

Thepracticeusesafaxdisclaimernoticeonoutgoingfaxesthataffiliateswiththepractice.

Disclaimer: This email and any attachments have been sent by Narre Warren Medical Centre. The information contained in this email is intended only for the use of the person (s) to whom it is addressed and may be confidential or contain privileged information. If you are not the intended recipient you are hereby notified that any perusal, use, distribution, copying or disclosure is strictly prohibited. If you have received this email in error please immediately advise us by return email and delete the email without making a copy. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached. In relation to any legal use you may make of the contents of this email, you must ensure that you comply with the Privacy Act (Cth) 1988 and you should note that the contents may be subject to copyright and therefore may not be reproduced, communicated or adapted without the express consent of the owner of the copyright.

Emails

Emailsaresentviavariousnodesandareatriskofbeingintercepted.Patientinformationmayonlybesentviaemailifitissecurelyencryptedaccordingtoindustryandbestpracticestandards.

PatientConsultations

Patientprivacyandsecurityofhealthinformationismaximisedduringconsultationsbyclosingconsultingroomdoors.Allexaminationcouches,includingthoseinthetreatmentroom,havecurtainsorprivacyscreens.

Whenconsulting,treatmentoradministrationofficedoorsareclosed,priortoentering,staffshouldeitherknockandwaitforaresponseoralternativelycontacttherelevantpersonbyinternalphoneoremail.

Wherelocksarepresentonindividualroomstheseshouldnotbeengagedexceptwhentheroomisnotinuse.

Itisthedoctor’s/healthcareprofessional’sresponsibilitytoensurethatprescriptionpaper,samplemedications,medicalrecordsandrelatedpersonapatientinformationiskeptsecure,iftheyleavetheroomduringaconsultationorwhenevertheyarenotinattendanceintheirconsulting/treatmentroom.

MedicalRecords

Thephysicalmedicalrecordsandrelatedinformationcreatedandmaintainedforthecontinuingmanagementofeachpatientarethepropertyofthispractice.Thisinformationisdeemedapersonalhealthrecordandwhilethepracticedoesnothaveownershipoftherecordhe/shehastherighttoaccessundertheprovisionsoftheCommonwealthPrivacyandStateHealthRecordsAct/Requestsforaccesstothemedicalrecordwillbeactedupononlyifreceivedinwrittenformat.

Ourpatienthealthrecordscanbeaccessedbyanappropriateteammemberwhenrequired.

Practixstoresmedicalrecords,Practixispasswordprotectedperuserandaccesstotherecordassignedperusertoensuretheprotectionofallinformationcontainedinmedicalrecordse.g.passwords,accessdetails,storageandhowyouensureinformationheldaboutthepatientindifferentrecords(e.g.ataresidentialagedcarefacility)isavailablewhenrequired.

Bothactiveandinactivepatienthealthrecordsarekeptandstoredsecurely.

Apatienthealthrecordmaybysolelyelectronicbased.

ComputerisedRecords

Ourpracticeisconsideredpaperlessandhassystemsinplacetoprotecttheprivacy,security,qualityandintegrityofthepersonalhealthinformationheldelectronically.Appropriatestaffmembersaretrainedincomputersecuritypoliciesandprocedures.

NOTETheRACGPStandardsdefinean“activehealthrecord”asarecordofapatientwhohasattendedthepracticethreeormoretimesinthepast2years.

PracticePolicy–PatientsRequestforAccesstoPersonalHealthInformation

Patientsatthispracticehavetherighttoaccesstheirpersonalhealthinformation(medicalrecord)underlegislation;CommonwealthPrivacyAmendment(PrivateSector)Act2000andtheHealthRecordsAct2001(Victoria).TheHRAgivesindividualsarightofaccesstotheirpersonalhealthinformationheldbyanyorganisationintheprivatesectorinVictoriainaccordancewithHealthPrivacyPrinciple6(HPP6).Theprincipleobligeshealthserviceprovidersandotherorganisationsthatholdhealthinformationaboutapersontogivethemaccesstotheirhealthinformationonrequest,subjecttocertainexpectationsandthepaymentoffees(ifany).

PublicsectororganisationscontinuetobesubjecttotheFreedomofInformationAct1982.

ThispracticecomplieswithbothlawsandtheAustralianandHealthPrivacyPrinciples(APPs&HPPs)adoptedtherein.Seesummaryheadingsofprinciplesinthissection.BothActsgiveindividualstherighttoknowwhatinformationaprivatesectororganisationholdsaboutthem,therighttoaccessthisinformationandtoalsomakecorrectionsiftheyconsiderdataisincorrect.CompliancewiththeaccessprovisionsintheHealthRecordsAct2001(Victoria)willgenerallyensurecompliancewiththeCommonwealthPrivacyAct.

AustralianPrivacyPrinciples(APPs)APP1 OpenandtransparentmanagementofpersonalinformationAPP2 AnonymityandpseudonymityAPP3 CollectionofsolicitedpersonalinformationAPP4 DealingwithunsolicitedpersonalinformationAPP5 NotificationofthecollectionofpersonalinformationAPP6 UseordisclosureofpersonalinformationAPP7 DirectmarketingAPP8 Cross-borderdisclosureofpersonalinformationAPP9 Adoption,useordisclosureofgovernmentrelatedidentifiersAPP10 QualityofpersonalinformationAPP11 SecurityofpersonalinformationAPP12 AccesstopersonalinformationAPP13 Correctionofpersonalinformation

AsadoptedwithintheCommonwealthPrivacyAmendment(PrivateSector)Act2000.Wehaveaprivacypolicyinplacethatsetsouthowtomanagehealthinformationandthestepsanindividualmusttaketoobtainaccesstotheirhealthinformation.Thisincludesthedifferentformsofaccessandtheapplicabletimeframesandfees.

ReportsbySpecialists

Thisinformationformspartofthepatient’smedicalrecord,henceaccessispermittedunderprivacylaw.

DiagnosticResults

Thisinformationformspartofthepatient’smedicalrecord,henceaccessispermittedunderprivacylaw.

NOTE:AmendmentstothePrivacyActapplytoinformationcollectedafter21stDecember2001,howevertheyalsoapplytodatacollectedpriortothisdateprovideditisstillinuseandreadilyaccessible.

Werespectindividual’sprivacyandallowaccesstoinformationviapersonalviewinginasecureprivatearea.Thepatientmaytakenotesofthecontentoftheirrecordormaybegivenaphotocopyoftherequestedinformation.AGPmayexplainthecontentsoftherecordtothepatientifrequired.Anadministrativechargemaybeapplied,attheGPsdiscretionandinconsultationwiththePrivacyOfficere.g.forphotocopyingrecord,x-raysandforstafftimeinvolvedinprocessingtherequest.

PracticeProcedure–PatientsRequestforAccesstoPersonalHealthInformation

Anoticeisdisplayedinourwaitingroomadvisingpatientsandothersoftheirrightsofaccessandofourcommitmenttoprivacylegislationcompliance.Aninformationbrochureisalsoavailablethatprovidesfurtherdetailsifrequired.

Releaseofinformationisanissuebetweenthepatientandthedoctor.Informationwillonlybereleasedaccordingtoprivacylawsandatdoctor’sdiscretion.Requestedrecordsarereviewedbythemedicalpractitionerpriortotheirreleaseandwrittenauthorisationisobtained.

RequestReceived

Whenourpatientsrequestaccesstotheirmedicalrecordandrelatedpersonalinformationheldatthispractice,wedocumenteachrequestandendeavourtoassistpatientsingrantingaccesswherepossibleandaccordingtotheprivacylegislation.Exemptionstoaccesswillbenotedandeachpatientorlegallynominatedrepresentativewillhavetheiridentificationcheckedpriortoaccessbeinggranted.Apatientmaymakearequestverballyatthepractice,viatelephoneorinwritingegfax,emailorletter.Noreasonisrequiredtobegiven.Therequestisreferredtothepatient’sdoctorordelegatedprivacyofficer.

Arequestforpersonalhealthinformationiscompletedtoensurecorrectprocessing.

Oncecompletedarecordoftherequestisloggedintheaccessregisterandtheformfiled/scannedinthepatientrecord.

Requestbyanother(notpatient)

Anindividualmayauthoriseanotherpersontobegivenaccess,iftheyhavetherighteglegalguardian,andiftheyhaveasignedauthority.UnderNPP2UseandDisclosure,a‘personresponsible’forthepatient(includingapartner,familymember,carer,guardianorclosefriend),ifthatpatientisincapableofgivingorcommunicatingconsent,mayapplyforandbegivenaccessforappropriatecareandtreatmentorforcompassionatereasons.Identityvalidationapplies.

ThePrivacyActdefines‘apersonresponsible’asaparentoftheindividual,achildorsiblingoftheindividual,whoisatleast18yearsold,aspouseordefactospouse,arelative(atleast18yearsold)andamemberofthehousehold,aguardianorapersonexercisinganenduringpowerofattorneygrantedbytheindividualthatcanbeexercisedforthatperson’shealth,apersonwhohasanintimaterelationshipwiththeindividualorapersonnominatedbytheindividualinacaseofemergency.

Children

Whereayoungpersoniscapableofmakingtheirowndecisionsregardingtheirprivacy,theyshouldbeallowedtodosoaccordingtoFederalPrivacyCommissioner’sPrivacyGuidelines.Thedoctorcoulddiscussthechild’srecordwiththeirparent.Eachcaseisdealtwithsubjecttotheindividual’scircumstances.Aparentwillnotnecessarilyhavetherighttotheirchild’sinformation.

DeceasedPersons

Arequestforaccessmaybeallowedforadeceasedpatient’slegalrepresentativeifthepatienthasbeendeceasedfor30yearsorlessandallotherprivacylawrequirementshavebeenmet.Ref:Sec28HealthRecordsAct.Nomentionismadeofdeceasedpatient’saccessinCommonwealthprivacylegislation.

AcknowledgeRequest

Eachrequestisacknowledgedwithalettersenttothepatient,confirmingrequesthasbeenreceived.Sendtheletterwithin14daysorsoonerasrecommendedbytheNationalPrivacyCommissioner.Acknowledgementwillincludeastatementconcerningchargesinvolvedinprocessingtherequest.

FeesCharged

Discusswiththeindividualwhatinformationtheywantaccessto,andthelikelyfees,beforeundertakingtheirrequestforaccess.

Thefeeswhichanorganisationcanchargeforprovidingaccessmustnotbeexcessiveandmustnotapplytothemerelodgementofarequestforaccess.NationalPrivacyPrinciple(NPP)6.4aimstoprevent

preventorganisationsforusingexcessivechargestodiscourageindividualsfrommakingrequestsforaccesstotheirmedicalrecords.Ifanorganisationincurssubstantialcostsinmeetingarequestforaccess,thentheorganisationcouldchargeareasonablefeetomeettheadministrativecostsinvolved.Forexample,anorganisationcouldrecoversomeofthecostsofphotocopyingorofthestafftimeinvolved.

CollateandAssessInformation

Retrievepatient’shardcopymedicalrecordorarrangeforthetreatingdoctororpracticeprincipletoaccessthecomputerrecord.Refertothepatientrequestformtohelpidentifywhatinformationistobegiventothepatient.

DatamaybewithheldunderprivacylegislationNPP6–AccessandCorrectionforthefollowingreasons:

• Whereaccesswouldposeaseriousthreattothelifeorhealthofanyindividual• Wheretheprivacyofothersmaybeaffected• Ifarequestisfrivolousorvexatious• Ifinformationrelatestoexistingoranticipatedlegalproceedings• Ifaccesswouldprejudicenegotiationswiththeindividual• Ifaccesswouldbeunlawful• Wheredenyingaccessisrequiredorauthorisedbylaw.

SeeNationalPrivacyPrinciplesinfullforacomprehensivelistofexclusionsavailableat:http://www.privacy.gov.au/materials/types/infosheets/view/6583

AccessDenied

Reasonsfordeniedaccessmustbegiventothepatientinwriting.Notetheseontherequestform.Insomecasesrefusalofaccessmaybeinpartorfull.

UseofIntermediarywhenAccessDenied

Ifrequestforaccessisdeniedanintermediarymayoperateasfacilitatortoprovidesufficientaccesstomeettheneedsofboththepatientandthedoctor.

ProvideAccess

Personalhealthinformationmaybeaccessedinthefollowingways:

• Viewandinspectinformation• View,inspectandtalkthroughcontentswiththedoctor• Takenotes• Obtainacopy(canbephotocopyorelectronicprintoutfromcomputer)• Listentoaudiotapeorviewvideo

• Informationmaybefaxedtopatient

CheckIdentityofPatient

• EnsureavisibleformofIDispresentedbythepersonseekingaccessegdriver’slicence,passportorotherphotoidentification.Notedetailsonrequestform

• Doesthepersonhavetheauthoritytogainaccess?Checkage,legalguardiandocuments;ispersonauthorisedrepresentative?

Ifthepatientisviewingthedata,superviseeachviewingsothatpatientisnotdisturbedandnodatagoesmissing.

Ifacopyistobegiventothepatientensureallpagesarecheckedandthisisnotedintherequestform.

Ifthedoctoristoexplainthecontentstoapatientthenensureanappointmenttimeismade.

RequesttoCorrectInformation

Apatientmayasktohavetheirpersonalhealthinformationamendedifhe/sheconsidersthatisnotuptodate,accurateandcomplete(NPP6.5/6.6).

Ourpracticemusttrytocorrectthisinformation.Correctionsareattachedtotheoriginalhealthrecord.

Wherethereisadisagreementaboutwhethertheinformationisindeedcorrect,ourpracticeattachesastatementtotheoriginalrecordoutliningthepatient’sclaim.

TimeFrames

Acknowledgerequest–within14days.Completetherequest–within30days.

PracticePolicy–3rdPartyRequestforAccesstoPersonalHealthInformation

Requestsfor3rdpartyaccesstothemedicalrecordshouldbeinitiatedbyeitherreceiptofcorrespondencefromasolicitororgovernmentagencyorbythepatientcompletingapatientrequestforpersonalhealthinformationform.Whereapatientrequestformandsignedauthorisationisnotobtainedthepracticeisnotlegallyobligedtorelease.

Whererequestsforaccessarerefusedthepatientorthirdpartymayseekaccessunderrelevantprivacylaws.

Anorganisation‘holds’healthinformationifitisintheirpossessionorcontrol.Ifyouhavereceivedreportsorotherhealthinformationfromanotherorganisationsuchasamedicalspecialists,youarerequiredtoprovideaccessinthesamemannerasfortherecordsyoucreate.Ifthespecialisthas

written‘nottobedisclosedtoathirdparty’or‘confidentiality’ontheirreport,thishasnolegaleffectinrelationtorequestsforaccessundertheHealthRecordsAct.Youarealsorequiredtoprovideaccesstorecordswhichhavebeentransferredtoyoufromanotherhealthserviceprovider.

Requestsforaccesstothemedicalrecordandassociatedfinancialdetailsmaybereceivedfromvarious3rdpartiesincluding:

1. Subpoena/courtorder/coroner/searchwarrant2. Relatives/friends/carers3. Externaldoctorsandhealthcareinstitutions4. Police/solicitors5. Healthinsurancecompanies/worker’scompensation/socialwelfareagencies6. Employers7. Governmentagencies8. Accounts/debtcollection9. Students(medicalandnursing)10. Research/qualityassuranceprograms11. Media12. International13. Diseaseregisters14. Telephonecalls

Weonlytransferorreleasepatientinformationtoathirdpartyoncetheconsenttoshareinformationhasbeensignedandinspecificcasesinformedpatientconsenthasmaybesought.Wherepossiblede-identifiedinformationissent.

Ourpracticeteamcandescribetheproceduresfortimely,authorisedandsecuretransferofpatienthealthinformationinrelationtovalidrequests.

PracticeProcedure-3rdPartyRequestforAccesstoPersonalHealthInformation

Thepracticeteamcandescribehowwecorrectlyidentifyourpatientsusing3patientidentifiers,name,anddateofbirth,addressorgendertoascertainwehavethecorrectpatientrecordbeforeentering,actioningorreleasinganythingfromthatrecord.

Patientconsentforthetransferofhealthinformationtootherprovidersoragenciesisobtainedonthefirstvisitandtrainedonfileinanticipationofwhenthismayberequired.

Asarulenopatientinformationistobereleasedtoa3rdpartyunlesstherequestImadeinwritingandprovidesevidenceofasignedauthoritytoreleasetherequestedinformation,toeitherthepatientdirectlyorathirdparty(wherepossiblede-identifieddataisreleased).

Writtenrequestsshouldbenotedinthepatient’smedicalrecordandalsodocumentedinthepractice’srequestregister.Requestsshouldbeforwardedtothedesignatedpersonwithinthepracticeforfollow-up.

Requestedrecordsaretobereviewedbythetreatingmedicalpractitionerorprincipaldoctorpriortotheirreleasetoathirdparty.Whereareportormedicalrecordisdocumentedforreleasetoathirdparty,havingsatisfiedcriteriaforrelease(includingthepatientswrittenconsentandwhereappropriatewrittenauthorisationfromthetreatingdoctor),thenthepracticemayspecifyachargetobeincurredbythepatientorthirdparty,tomeetthecostoftimespentpreparingthereportorphotocopyingtherecord.

Thepracticeretainsarecordofallrequestsforaccesstomedicalinformationincludingtransferstoothermedicalpractitioners.

Wherehardcopymedicalrecordsaresenttopatientsor3rdparties,copiesareforwardednotoriginaldocumentationwhereverpossible.Iforiginalsarerequiredcopiesaremadeincaseofloss.

Securityofanyhealthinformationrequestedismaintainedwhentransferringrequestedrecordsandelectronicdatatransmissionofpatienthealthinformationfromourpracticeisinasecureformat.

Subpoena,courtorderorcoronersearchwarrant

Notethedateofthecourtcaseanddaterequestreceivedinthemedicalrecord.Dependingonwhetheraphysicalorelectroniccopyoftherecordisrequiredfollowproceduresasdescribedabove.

Onoccasionsamemberofstaffisrequiredtoaccompanythemedicalrecordtocourtoralternativelyasecurecourierservicemaybeadequate.Iftheoriginalistobetransported,ensureacopyismadeincaseoflossoftheoriginalduringtransport.Ensurethattherecordisreturnedafterreviewbythecourt.

Relatives/Friends

Apatientmayauthoriseanotherpersontobegivenaccessiftheyhavethelegalrightandasignedauthority.

In2008theAustralianLawReformCommissionrecognisedthatdisclosureofinformationto‘apersonresponsibleforanindividual’canoccurwithincurrentprivacylaw.Ifasituationariseswhereacarerisseekingaccesstoapatient’shealthinformation,practicesareencouragedtocontacttheirmedicaldefenceorganisationforadvicebeforesuchaccessisgranted.

Individualrecordsareadvisedforallfamilymembersbutespeciallyforchildrenwhoseparentshaveseparatedwherecaremustbetakenthatsensitivedemographicinformationrelatingtoratherpartnerisnotrecordedonthedemographicsheet.Significantcourtordersrelatingtocustodyandguardianshipshouldberecordedasanalertonthechildren’srecords.

ExternalDoctorsandHealthCareInstitutions

Directthequerytothepatient’sdoctorandorthepracticemanager/principledoctor

Police/Solicitors

Policeandsolicitorsmustobtainacasespecificsignedpatientconsent(orsubpoena,courtorderorsearchwarrant)forreleaseofinformation.Therequestisdirectedtothedoctor.

HealthInsuranceCompanies/WorkersCompensation/SocialWelfareAgencies

Dependingonthespecificcircumstancesinformationmayneedtobeprovided.Itisrecommendedthattheserequestsarereferredtothedoctor.

Itisimportantthatorganisationstellindividualswhatcouldbedonewiththeirpersonalhealthinformationandifitiswithinthereasonableexpectationofthepatientthenpersonalhealthinformationmaybedisclosed.Doctorsmayneedtodiscusssuchrequestswiththepatientandperhapstheirmedicaldefenceorganisation.

Employers

Ifthepatienthassignedconsenttoreleaseinformationforapre-employmentquestionnaireorsimilarreportthendirecttherequesttothetreatingdoctor.

GovernmentAgencies

Medicare/DepartmentofVeteransAffairs-dependingonthespecificcircumstancesinformationmayneedtobeprovided.Itisrecommendedthatdoctorsdiscusssuchissueswiththemedicaldefenceorganisations.

StateRegisterorBirths,DeathsandMarriages–deathcertificatesareusuallyissuedbythetreatingdoctor

Centrelink–TherearealargenumberofCentrelinkforms(treatingdoctor’sreports)whichareusuallycompletedinconjunctionwiththepatientconsultation.

Accounts/DebtCollection

Thepracticemustmaintainprivacyofpatient’sfinancialaccounts.Accountsarenotstoredorleftvisibleinareaswheremembersofthepublichaveunrestrictedaccess.

Accountsmustnotcontainanyclinicalinformation.Invoicesandstatementsshouldbereviewedpriortoforwardingtothirdpartiessuchasinsurancecompaniesordebtcollectionagencies.

Outstandingaccountqueriesordisputesshouldbedirectedtothepracticemanager/bookkeeperorprincipal.

Students(MedicalandNursing)

Thispracticedoesnotparticipateinmedical/nursingstudenteducation.Thepracticeacknowledgesthatsomepatientsmaynotwishtohavetheirpersonalhealthinformationaccessedforeducationalpurposes.Thepracticealwaysadvisespatientsofimpendingstudentinvolvementinpracticeactivitiesandseekstoobtainpatientconsentaccordingly.Thepracticerespectsthepatient’srighttoprivacy.

Researchers/QualityAssurancePrograms

Wherethepracticeseekstoparticipateinhumanresearchactivitiesand/orcontinuousqualityimprovement(CQI)activities,patientanonymitywillbeprotected.Thepracticewillalsoseekandretainacopyofpatientconsenttoanyspecificdatacollectionforresearchpurposes.Researchrequestsaretobeapprovedbythepracticeprincipal,practicepartnersandmusthaveapprovalfromaHumanResearchEthicsCommittee(HREC)constitutedundertheNH&MRCguidelines.Acopyofthisapprovalwillberetainedbythepractice.

Practiceaccreditationisarecognisedpeerreviewprocessandthereviewingofmedicalrecordsforaccreditationpurposeshasbeendeemedasa‘secondarypurpose’bytheOfficeoftheFederalPrivacyCommissioner.Asaconsequencepatientsarenotrequiredtoprovideconsent.

Patientsshouldbeadvisedofthewaysinwhichtheirhealthinformationmaybeused(includingforaccreditationpurposes)viaasigninthewaitingroomandthepracticeinformationbrochure.

Media

Pleasedirectallenquiriestothepracticemanager/principal.Staffmustnotreleaseanyinformationunlessithasbeenauthorisedbythepracticemanager/principalandpatientconsenthasbeenobtained.

International

Wherepatientconsentisprovidedtheninformationmaybesentoverseashoweverthepracticeisundernoobligationtosupplyanypatientinformationonreceiptofaninternationalsubpoena(NPP9–TransborderDataFlows).

DiseaseRegisters

Thispracticesubmitspatientdatatovariousdiseasespecificregisters(cervical,breast,bowelscreeningetc)toassistwithpreventativehealthmanagement.Consentisrequiredfromthepatientwiththeoptionofoptinginoroptingout.Patientsareadvisedofthisviaasigninthewaitingareaandinthepractice’sinformationleaflet.

TelephoneCalls

Requestsforpatientinformationaretobetreatedwithcareandnoinformationistobegivenoutwithoutadherencetothefollowingprocedure:

1. Takethetelephonenumber,nameandaddressofthepersoncalling2. Forwardthisontothetreatingdoctor/principalorthepracticemanagerwhereappropriate.

PracticePolicy–CollectionandManagementofPersonalHealthInformation

AustralianPrivacyPrinciple1requiresourpracticetohaveadocumentthatclearlysetsoutitspoliciesonhandlingpersonalinformation,includinghealthinformation.

Thisdocument,commonlycalledaprivacypolicy,outlineshowwehandlepersonalinformationcollected(includinghealthinformation)andhowweprotectthesecurityofthisinformation.Itmustbemadeavailabletoanyonewhoasksforitandpatientsaremadeawareofthis.

Thecollectionstatementinformspatientsabouthowtheirhealthinformationwillbeusedincludingotherorganisationstowhichthepracticeusuallydisclosespatienthealthinformationandanylawthatrequirestheparticularinformationtobecollected.Patientconsenttothehandlingandsharingofpatienthealthinformationshouldbeprovidedatanearlystageintheprocessofclinicalcareandpatientsshouldbemadeawareofthecollectionstatementwhengivingconsenttosharehealthinformation.

Ingeneral,qualityimprovementorclinicalauditactivitiesforthepurposeofseekingtoimprovethedeliveryofaparticulartreatmentorservicewouldbeconsideredadirectlyrelatedsecondarypurposeforinformationuseordisclosuresowedonotneedtoseekspecificconsentforthisuseofpatients’healthinformation,howeverweincludeinformationaboutqualityimprovementactivitiesandclinicalauditsinthepracticepolicyonmanaginghealthinformation.

PracticeProcedure–CollectionandManagementofPersonalHealthInformation

Weinformourpatientsaboutourpractice’spoliciesregardingthecollectionandmanagementoftheirpersonalhealthinformationvia:

• Asignatreception• Brochure/sinthewaitingarea• Ourpatientinformationsheet

• Newpatientforms–“Consenttoshareinformation”• Verballyifappropriate• Thepracticewebsite.

Theprivacypolicyshouldoutline:

• Thepractice’scontactdetails• Whatinformationiscollected• Whyinformationiscollected• Howthepracticemaintainsthesecurityofinformationheldatthepractice• Therangeofpeoplewithinthepracticeteam(egGPs,practicenurses,GPRegistrars,students

andalliedhealthprofessionals),whomayhaveaccesstopatienthealthrecordsandthescopeoftheaccess

• Theproceduresforpatientstogainaccesstotheirownhealthinformationonrequest• Thewaythepracticegainspatientconsentbeforedisclosingtheirpersonalhealthinformationto

thirdparties• Theprocessofprovidinghealthinformationtoanothermedicalpracticeshouldpatientsrequest

that• Theuseofpatienthealthinformationforqualityassurance,researchandprofessional

development• Theproceduresforinformingnewpatientsaboutprivacyarrangements• Thewaythepracticeaddressescomplaintsaboutprivacyrelatedmatters• Thepractice’spolicyforretainingpatienthealthrecords.

A‘collectionstatement’setsoutthefollowinginformation:

• Theidentityofthepracticeandhowtocontactit• Thefactthatpatientscanaccesstheirownhealthinformation• Thepurposeforwhichtheinformationiscollected• Otherorganisationstowhichthepracticeusuallydisclosespatienthealthinformation• Anylawthatrequirestheparticularinformationtobecollected(egnotifiablediseases)• Themainconsequencefortheindividualifimportanthealthinformationisnotprovided.

Priortoapatientsigningconsenttothereleaseoftheirhealthinformationpatientsaremadeawaretheycanrequestafullcopyofourprivacypolicyandcollectionstatement.

Patientconsentforthetransferofhealthinformationtootherprovidersoragenciesisobtainedonthefirstvisit.Acopyofourconsentformisincludedbelow.Oncesignedthisformisscannedintothepatient’srecordanditscompletionnoted.

NOTE:Consentfortransferofinformationdiffersfromproceduralconsent.

PracticePolicy–TransferofHealthInformation

Transferofmedicalrecordsfromthispracticecanoccurinthefollowinginstances:

• Formedico-legalreasonsegrecordissubpoenaedtocourt• Whenapatientasksfortheirmedicalrecordtobetransferredtoanotherpractice,dueto

movingresidenceorforotherreasons• Whereanindividualmedicalrecordreportisrequestedfromanothersource• Wherethedoctorisretiringandthepracticeisclosing.

Ourpracticeteamcandescribetheproceduresfortimely,authorisedandsecuretransferofpatienthealthinformationtootherprovidersandinrelationtovalidrequests.

PracticeProcedure–TransferofHealthInformation

RequestsforTransferofMedicalRecordsforMedico-legalReasons

Referto3rdPartyrequestsforaccesstomedicalrecords/healthinformationabove.

ReceivingaRequesttoTransferMedicalRecordstoaPatient’sNewClinic

Inaccordancewithstateandfederalprivacyregulations,arequesttotransfermedicalrecordsmustbesignedbythepatientgivingusauthoritytotransfertheirrecords.

Therequestformshouldcontain:

• Thenameofthereceivingpractitionerorpractice• Thename,address(bothcurrentandformerifapplicable)anddateofbirththepatientwhose

recordisrequired• Thereasonfortherequest.

Whenfulfillingarequest,thispracticemaychoosetoeither:

• Prepareasummaryletter(manuallyorviaclinicalsoftware)andincludecopiesofrelevantcorrespondenceandresultspertinenttotheongoingmanagementofthepatient

• Makeacopyofthemedicalrecordanddispatchthecopytothenewpractice,retainingtheoriginalonsiteforaminimumof7years.

Therequestingclinicisadvisedifweproposetotransferasummaryoracopyofthefullmedicalrecord.Iftheyhaveapreferencetheformatcanbenegotiatedortheycanchoosenottoproceedwiththetransferandseekacopythroughaseparateaccessrequest.

Ifthereisgoingtobeanyexpensesrelatedtothetransfertherequestingclinicisadvisedpriortosendingthemedicalrecordsandoncethefeehasbeenpaidweprocesstherequestassoonaspossible.Anychargesmustnotexceedtheprescribedmaximumfee.

Thepatient’ssignedrequestletter/formandanotationthatthepatienthastransferredismadeonthemedicalrecord.Includethenameandaddressofthenewpracticeandthedispatchdetails(egviaprioritymailorconfidentialcourierorinanelectronicform).

Electronicdatatransmissionofpatienthealthinformationfromourpracticeisinasecureformat.

NOTE:Thereareanumberofwaystheinformationcanbetransferred,dependingontherequestfromthepatientandclinic:viasecurepost;encryptedemail(ifcomputerisedrecords)or,ifthepracticeisreleasingcopiesoftheentirerecordandthepatientrequestsaccess(HealthRecordsAct),thepracticemaywishtomakeanappointmenttimewiththepatienttoofferanappropriateexplanationandcounselfromtheGPorasanalternativemaychoosetosupplyasummaryofthehistory.

Allreasonablestepsaretakentoprotectthehealthinformationfromlossandunauthoriseddisclosureduringthetransfer.

Thispracticedoesnotallowindividualstocollectthefileandtakeittotheirnewprovider.

MakingaRequestforaPatientMedicalRecordfromanotherSource

Accesstoanewpatient’spreviousrecordcanassistwithmaintainingthecontinuityofcareofthepatient.

Whenrequestingrecordsfromanotherclinicastandardrequestfortransferofmedicalrecordstemplate(seesamplebelow)shouldbeused.

Thisshouldcontain:

• Thepatient’sdetails,thepatientshouldbeidentifiedbyname,address(bothcurrentandformerifapplicable)anddateofbirth

• Thereasonforrequestincludingthenameofthedoctormakingtherequest• Therequestfortransferofpatientfilesshouldbeauthorisedbythepatient

Ifthefileswillberequestedelectronically,specificdetailsoftheformatneedstobeincludedsuchasHTMLorXML.

Iftheclinicadvisesyouthatthepatientsarelikelytoincuroutofpocketexpensesrelatedtotransfer,pleaseadvisethepatientpriortoacceptingthetransferredmedicalrecords.

Whenadoctorisretiringandthepracticeisclosing

ThecorrectprocessforhandlingpatienthealthinformationontheclosureofapracticeisavailableintheOFPCGuidelinesatwww.privacy.gov.au/materials/types/guidelines/view/6517.

Thefollowingfactsheetmaybeuseful:Transfer/closureofapracticeorbusinessofahealthserviceproviderhttp://www.health.vic.gov.au/hsc/infosheets/closure.pdf

NOTE:Ahealthserviceproviderwhohasadisputewithanorganisationinrelationtoarequesttoaccesshealthinformationcannotcomplainonbehalfofthepatient.

Acomplaintmustbeledgedinwriting,bythepatientwiththeHealthServicesCommissioner(HSC).Asamplecomplaintformcanbefoundbelow.Adetailedletterisalsorequired.

PracticePolicy–Research

Researchactivity,bothwithinthepracticeandthroughreputableexternalbodiesisencouraged.

Patientsconsentisessentialforinvolvementinresearchprojects.Wheneveranymemberofourpracticeteamisconductingresearchinvolvingourpatients,wecandemonstratethattheresearchhasappropriateapprovalfromanethicscommittee.Theresearchprotocol,consentproceduresandprocessforresolvingproblemsshouldberetainedbythepractice.

Researchactivitiesaredistinctfromauditsundertakenbythepracticeaspartofqualityimprovementactivities.ResearchprojectsrequireapprovalfromanEthicscommitteebut“inhouse”practiceauditsdonot.

Whenwecollectpatienthealthinformationforqualityimprovementauditsorprofessionaldevelopmentactivities,weonlytransferdeidentifiedpatienthealthinformationtoathirdpartyonceinformedpatientconsenthasbeenobtained.

Privacyandconfidentialityisparticularlyimportantespeciallywhenconsideringinvolvementincommercialmarketresearchactivities.

Ourpracticeconsidershowidentifiabletheirpatientinformationwillbeusingthefollowing:

• Identifiablepatientinformation–bywhichindividualpatientscanbeidentified• De-identifiedpatientinformation–whichcannotbetracedbacktotheindividual• Potentiallyidentifiableinformation–couldpossiblybetracedbacktoindividualsorgroupsof

individuals

PracticeProcedure–Research

Researchprojectsinvolvingpatientcare

• Musthavetheexplicitanddocumentedwrittenconsentofthepatient• Thepatientmustreceiveawrittenandoralexplanationabouttheresearchandbeableto

withdrawconsentatanytime• Theprojectmustbeapprovedbyarelevanthumanresearchethicscommittee(HREC)

establishedundertheNH&MRCguidelines• Privacylawsmustbeadheredto.

Researchprojectsinvolvingresearchorclinicalauditsusingde-identifieddatashouldideallyhavepatientsconsent.Thiscanbeinmoregeneraltermssuchasbywaitingroomnoticeorpracticeinformationsheet.

• Extremecaremustbetakennottoallowpatientidentificationfromsmalland/orunusualcohorts

ForQI&CPDactivitiesthatrequirethetransferofpatientinformationoutsidethepractice(egNPSactivities)weneedto:

• EnsuretheactivitycomplieswithrelevantguidelinesonQI&CPD(issuedbyanappropriatespecialistmedicalcollege)

• Ensuretheactivityisapprovedbythatcollege• RetainacopyoftheQI&CPDapprovalfortheactivity• Obtainpatientconsentiftransferringidentifiablepatientinformation

Thepracticeshouldretainarecordoftherequestforparticipationinanyresearchproject,includingtheresearchprotocol,consentproceduresandprocessforresolvingproblemsshouldberetainedbythepractice.

NarreWarrenMedicalCentreConsentFormfortheCollectionofPersonalHealthInformation

NarreWarrenMedicalCentre2MalcolmCourt NarreWarren Phone97046812Fax97040509admin@nwmc.com.au

NarreWarrenMedicalCentre

Require your consent to collect person information about you. Please read this consent formcarefully,andsignwhereindicatedbelow.

NarreWarrenmedical Centre collects information from you for the primary purpose of providingquality health care. We require you to provide us with your personal details and a full medicalhistorysothatwemayproperlyassess,diagnose,treatandbeproactiveinyourhealthcareneeds.Thismeanswewillusetheinformationyouprovideinthefollowingways:

• Administrativepurposesinrunningourmedicalpractice• Billing purposes, including compliance with Medicare and Health Insurance Commission

requirements• Disclosure to others involved in your healthcare including treating doctors and specialists

outside thismedicalpractice.Thismayoccur through referral tootherdoctors,or formedicaltestsandinthereportsorresultsreturnedtousfollowingreferrals

• Disclosuretootherdoctorsinthepractice,locumsetcattachedtothepracticeforthepurposeofpatientcareand teaching.Please letusknow ifyoudonotwantyour recordsaccessed forthesepurposes,andwewillnotinyourrecordaccordingly

• Disclosure for research and quality assurance activities to improve individual and communityhealthcareandpracticemanagement,allinformationintheseinstancesisun-identified.Youwillbeinformedwhensuchactivitiesarebeingconductedandgiventheopportunityto“optout”ofanyinvolvement

I have read the information above and understand the reasons why my information must becollected.IamalsoawarethatthispracticehasaprivacypolicyonhandlingPatientInformation.

IunderstandthatIamnotobligedtoprovideanyinformationrequestedofme,butfailuretodosomaycompromisethequalityofhealthcareandtreatmentgiventome.

Iamawareofmyrightstoaccesstheinformationcollectedaboutme,exceptinsomecircumstanceswhereaccessmaybelegitimatelywithheld.Iwillbegivenanexplanationinthesecircumstances.

Iunderstandthatifmyinformationistobeusedforanyotherpurposeotherthansetoutabove,myfurtherconsentwillbeobtained.

Iconsenttothehandlingofmyinformationbythepracticeforthepurposesetoutabove,subjecttoanylimitationsonaccessordisclosureofwhichInotifythispractice.

Name……………………………………………………………………Signed…………………………………………………………………

NameofGuardian(forchild)……………………………….Signed…………………………………………………………………..

Date…………………………………………………………………………………………………………………………………………………….

NWMCRequestforPersonalHealthInformation

NarreWarrenMedicalCentre2MalcolmCourt NarreWarren Phone97046812Fax97040509admin@nwmc.com.au

PatientDetails

Familyname…………………………………………………………………….GivenName/s…………………………………………………………..

Address……………………………………………………………………………………………………………………………………………………………….

DateofBirth……………./……………/……………………………………..

Applicantifnotthepatient………………………………………………Relationshiptopatient…………………………………………….

HealthInformationRequested

!Pathologyresults Specifydate/s……………………………………………………………………………....!X-rayresults Specifydate/s………………………………………………………………………………..!Othertestresults Pleasespecify…………………………………………………………………………………!Asummaryofmyhealthrecord!HealthRecord-detailed!CurrentMedications

!Correspondenceonfile!Other,pleasegivedetails ……………………………………………………………………………………………………...…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

Howwouldyouliketoreceivethisinformation?

!Viewandinspectinformation.Iwillmakeatimeatreception!View,inspectanddiscusscontentswithmydoctor.Iwillmakeanappointmentatreception!Obtainacopy-collect!Obtainacopy–sendviamail!Obtainacopy–viaFaxNo……………………………………………………………………………………………………………………………..!Obtainacopy–viaEmail……………………………………………………………………………………………………………………………….Note:Privacyrequirementsallowthedoctorincertaincircumstancestorestrictthereleaseofmedicalrecords.

Chargingpolicy–feesmaybechargedforaccess.Pleaserequestinformationaboutyourchargingpolicy.

SignatureofApplicant………………………………………………………………………………………Date………./………./……………………

OfficeUseOnly–StafftoInitialandDateEachEntry!Daterequestreceived………./………./………. !AcknowledgementDate………./………./…………..!Identificationverifiedknowntostaff/license/passport/other…………………………………………………………………..!Appointmentmadewithdoctor!Yes!No Date………./………/………. Time:!Patienttocollect? ExpectedDate………./…………/……….!Doctoradvisedpriortorelease !Notedinpatientrecord!Recordcheckedandreadyforpatient !Dataremoved/deleted !Yes!No!Methodofaccess:view/view&Dr/copy&collect/copy&send……………………………………………………………….!FeesCharged !Yes !No Amount$...............(excludeGST)FeesReceived$……....!Accessprocesscompleted(recordviewed/sent) Date………./………./……….

RequestforMedicalRecordsTransfer

NarreWarrenMedicalCentre2MalcolmCourt NarreWarren Phone97046812Fax97040509admin@nwmc.com.au

Date………./………./………..

DearDr……………………………………………………..,

PracticeDetails………..………………………………………………………………………………………….……………………………………………..

PatientsFullName………………………………………………………………………………………………………..………DOB………/………/……..

OtherFamilyMembers(ifunder18yearsofage)PatientFullName………………………………………………………………………………………….…………….DOB………./………./………..

Address………………………………………………………………………………………………………..……………………………………………………..

PatientFullName………………………………………………………………………………………….…………….DOB………./………./………..

Address………………………………………………………………………………………………………..……………………………………………………..

PatientFullName………………………………………………………………………………………….…………….DOB………./………./………..

Address………………………………………………………………………………………………………..……………………………………………………..

Theabovementionednowattendsthispractice.Toassistintheirfuturemedicalmanagementwouldyoupleasekindlyforward(tickoption):!Theirclinicalrecords!Anaccuratehealthsummary,withrelevantcorrespondenceandresults!DetailsofanyCDMorPIPitemsclaimedwithinthelast2years(GPMP)

Theserecordscanbeforwardedbymail,fax,encryptedemail(PKI),non-rewriteableCD.Electronicversionshouldbe!HTML !XML

YoursSincerely,

Doctor…………………………………………………………………………………………………………………………………..……….(NameofGP)

Patient’sSignedAuthority

I,…………………………………………………………………………………………………………………………………………..(Patientsfullname)

Of………………………………………………………………………………………………………………………………………………………………….……(Patientscurrentaddressanddateofbirth)

Formerlyof…………………………………………………………………..…………………………………………………………………………………….(Patientsformeraddressifapplicable)

Authorisethereleaseofmy/myfamiliesmedicalrecordstotheforwardedto<InsertClinicName>

Signed……………………………………………………………………………………………………………………..Date………../………./………….