Criterion4.2.1–ConfidentialityandPrivacyofHealthInformation
PracticePolicy–PracticePrivacyPolicy
ThispracticeisboundbytheFederalPrivacyAct(1988)andAustralianPrivacyPrinciples(APPs),andalsocomplieswiththeVictorianHealthRecordsAct(2001).
‘Personalinformation’isinformationthatidentifiesyouorcouldreasonablyidentifyyou.‘Personalhealthinformation’aparticularsubsetofpersonalinformationcanincludeanyinformationcollectedandheldtoprovideahealthservice.
Thisinformationincludesmedicaldetails,familyinformation,name,address,employmentandotherdemographicdata,pastmedicalandsocialhistory,currenthealthissuesandfuturemedicalcare,Medicarenumber,accountsdetailsandanyhealthinformationsuchasamedicalorpersonalopinionaboutaperson’shealth,disabilityorhealthstatus.
Itincludestheformalmedicalrecordwhetherwrittenorelectronicandinformationheldorrecordedonanyothermediumegletter,fax,electronicallyorinformationconveyedverbally.
OurpracticehasadesignatedpersonKellieAdamwithprimaryresponsibilityforthepractice’selectronicsystems,computersecurityandadherencetoprotocolsasoutlinedinourcomputerinformationsecuritypolicy(Criterion4.2.2).Thisresponsibilityisdocumentedinthepositiondescription.Tasksmaybedelegatedtoothersandthispersonworksinconsultationwiththeprivacyofficer.
Oursecuritypoliciesandproceduresregardingtheconfidentialityofpatienthealthrecordsandinformationaredocumentedandourpracticeteamareinformedabouttheseatinductionandwhenupdatesorchangesoccur.
Thepracticeteamcandescribehowwecorrectlyidentifyourpatientsusing3patientidentifiers,name,dateofbirth,addressorgendertoascertainwehavethecorrectpatientrecordbeforeenteringoractioninganythingfromthatrecord.
Foreachpatientwehaveanindividualpatienthealthrecord,electroniccontainingallclinicalinformationheldbyourpracticerelatingtothatpatient.Thepracticeensurestheprotectionofallinformationcontainedtherein.Ourpatienthealthrecordscanbeaccessedbyanappropriateteammemberwhenrequired.Wealsoensureinformationheldaboutthepatientindifferentrecords(egataresidentialagedcarefacility)isavailablewhenrequired.
PracticeProcedure–PracticePrivacyPolicy
Doctors,alliedhealthpractitionersandallotherstaffandcontractorsassociatedwiththispracticehavearesponsibilitytomaintaintheprivacyofpersonalhealthinformationandrelatedfinancialinformation.Theprivacyofthisinformationiseverypatient’sright.
Themaintenanceofprivacyrequiresthatanyinformationregardingindividualpatients,includingstaffmemberswhomaybepatients,maynotbedisclosedeitherverbally,inwriting,inelectronicform,bycopyingeitheratthepracticeoroutsideit,duringoroutsideworkhours,exceptforstrictlyauthorisedusewithinthepatientcarecontextatthepracticeoraslegallydirected.
Therearenodegreesofprivacy,allpatientinformationmustbeconsideredprivateandconfidential,eventhatwhichisseenorheardandthereforeisnottobedisclosedtofamily,friends,stafforotherswithoutthepatient’sapproval.Sometimesdetailsaboutaperson’smedicalhistoryorothercontextualinformationsuchasdetailsofanappointmentcanidentifythem,evenifnonameisattachedtothatinformationandassuchitmustbeprotectedunderthePrivacyAct.
Anyinformationgiventounauthorisedpersonnelwillresultindisciplinaryactionandpossibledismissal.Eachstaffmemberisboundbyhis/herprivacyclausecontainedwiththeemploymentagreementwhichissigneduponcommencementofemploymentatthispractice.
Personalhealthinformationshouldbekeptwherestaffsupervisioniseasilyprovidedandkeptoutofviewandaccessbythepublicegnotleftexposedonthereceptiondesk,inwaitingroomorotherpublicareasorleftunattendedinconsultingortreatmentrooms.
PracticecomputersandserverscomplywiththeRACGPcomputersecuritychecklistandwehaveasoundbackupsystemandacontingencyplantoprotectthepracticefromlossofdata(SeeCriterion4.2.2–Computerinformationsecurity).
Careshouldbetakenthatthegeneralpubliccannotseeoraccesscomputerscreensthatdisplayinformationaboutotherindividuals.Tominimisetheriskautomatedscreensaversshouldbeengaged.
Membersofthepracticeteamhavedifferentlevelsofaccesstopatienthealthinformation(SeeCriterion4.2.2–Computerinformationsecurity).Toprotectthesecurityofhealthinformation,GPsandotherpracticestaffdonotgivetheircomputerpasswordstoothersintheteam.
Receptionandotherpracticestaffshouldbeawarethatconversationsinthemainreceptionareacanoftenbeoverheardinthewaitingroomandassuchstaffshouldavoiddiscussingconfidentialandsensitivepatientinformationinthisarea.
Wheneversensitivedocumentationisdiscardedthepracticeusesanappropriatemethodofdestructionshreddingandsecuritybinorcomputerdrive,memorysticksetcarereformatted.
Correspondence
Electronicinformationistransmittedoverthepublicnetworkinanencryptedformatusingsecuremessagingsoftware.Wheremedicalinformationissentbypost,theuseofsecurepostageoracourierserviceisdetermineonacasebycasebasis.
Incomingpatientcorrespondenceanddiagnosticresultsareopeningbyadesignatedstaffmember.
Itemsforcollectionorpostageareleftinasecureareanotinviewofthepublic.
Facsimile
Facsimile,printersandotherelectroniccommunicationdevicesinthepracticearelocatedinareasthatareonlyaccessibletothegeneralpractitionersandotherauthorisedstaff.Faxingispointtopointandwillthereforeusuallyonlybetransmittedtoonelocation.
Allfaxescontainingconfidentialinformationaresenttofaxnumbersensuringtherecipientisthedesignatedreceiver.
• Confidentialinformationsentbyfaxhasdate,patientname,descriptionanddestinationrecordedinalogontheFujiXeroxmachine.
• Write“Confidential”onthefaxcoversheet• CheckthenumberdialledbeforepressingSEND• Keepthetransmissionreportproducedbythefaxasevidencethatthefaxwassent• Alsoconfirmthecorrectfaxnumberonthereport.
Faxesreceivedaremanagedaccordingtoincomingcorrespondenceprotocols.
Thepracticeusesafaxdisclaimernoticeonoutgoingfaxesthataffiliateswiththepractice.
Disclaimer: This email and any attachments have been sent by Narre Warren Medical Centre. The information contained in this email is intended only for the use of the person (s) to whom it is addressed and may be confidential or contain privileged information. If you are not the intended recipient you are hereby notified that any perusal, use, distribution, copying or disclosure is strictly prohibited. If you have received this email in error please immediately advise us by return email and delete the email without making a copy. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached. In relation to any legal use you may make of the contents of this email, you must ensure that you comply with the Privacy Act (Cth) 1988 and you should note that the contents may be subject to copyright and therefore may not be reproduced, communicated or adapted without the express consent of the owner of the copyright.
Emails
Emailsaresentviavariousnodesandareatriskofbeingintercepted.Patientinformationmayonlybesentviaemailifitissecurelyencryptedaccordingtoindustryandbestpracticestandards.
PatientConsultations
Patientprivacyandsecurityofhealthinformationismaximisedduringconsultationsbyclosingconsultingroomdoors.Allexaminationcouches,includingthoseinthetreatmentroom,havecurtainsorprivacyscreens.
Whenconsulting,treatmentoradministrationofficedoorsareclosed,priortoentering,staffshouldeitherknockandwaitforaresponseoralternativelycontacttherelevantpersonbyinternalphoneoremail.
Wherelocksarepresentonindividualroomstheseshouldnotbeengagedexceptwhentheroomisnotinuse.
Itisthedoctor’s/healthcareprofessional’sresponsibilitytoensurethatprescriptionpaper,samplemedications,medicalrecordsandrelatedpersonapatientinformationiskeptsecure,iftheyleavetheroomduringaconsultationorwhenevertheyarenotinattendanceintheirconsulting/treatmentroom.
MedicalRecords
Thephysicalmedicalrecordsandrelatedinformationcreatedandmaintainedforthecontinuingmanagementofeachpatientarethepropertyofthispractice.Thisinformationisdeemedapersonalhealthrecordandwhilethepracticedoesnothaveownershipoftherecordhe/shehastherighttoaccessundertheprovisionsoftheCommonwealthPrivacyandStateHealthRecordsAct/Requestsforaccesstothemedicalrecordwillbeactedupononlyifreceivedinwrittenformat.
Ourpatienthealthrecordscanbeaccessedbyanappropriateteammemberwhenrequired.
Practixstoresmedicalrecords,Practixispasswordprotectedperuserandaccesstotherecordassignedperusertoensuretheprotectionofallinformationcontainedinmedicalrecordse.g.passwords,accessdetails,storageandhowyouensureinformationheldaboutthepatientindifferentrecords(e.g.ataresidentialagedcarefacility)isavailablewhenrequired.
Bothactiveandinactivepatienthealthrecordsarekeptandstoredsecurely.
Apatienthealthrecordmaybysolelyelectronicbased.
ComputerisedRecords
Ourpracticeisconsideredpaperlessandhassystemsinplacetoprotecttheprivacy,security,qualityandintegrityofthepersonalhealthinformationheldelectronically.Appropriatestaffmembersaretrainedincomputersecuritypoliciesandprocedures.
NOTETheRACGPStandardsdefinean“activehealthrecord”asarecordofapatientwhohasattendedthepracticethreeormoretimesinthepast2years.
PracticePolicy–PatientsRequestforAccesstoPersonalHealthInformation
Patientsatthispracticehavetherighttoaccesstheirpersonalhealthinformation(medicalrecord)underlegislation;CommonwealthPrivacyAmendment(PrivateSector)Act2000andtheHealthRecordsAct2001(Victoria).TheHRAgivesindividualsarightofaccesstotheirpersonalhealthinformationheldbyanyorganisationintheprivatesectorinVictoriainaccordancewithHealthPrivacyPrinciple6(HPP6).Theprincipleobligeshealthserviceprovidersandotherorganisationsthatholdhealthinformationaboutapersontogivethemaccesstotheirhealthinformationonrequest,subjecttocertainexpectationsandthepaymentoffees(ifany).
PublicsectororganisationscontinuetobesubjecttotheFreedomofInformationAct1982.
ThispracticecomplieswithbothlawsandtheAustralianandHealthPrivacyPrinciples(APPs&HPPs)adoptedtherein.Seesummaryheadingsofprinciplesinthissection.BothActsgiveindividualstherighttoknowwhatinformationaprivatesectororganisationholdsaboutthem,therighttoaccessthisinformationandtoalsomakecorrectionsiftheyconsiderdataisincorrect.CompliancewiththeaccessprovisionsintheHealthRecordsAct2001(Victoria)willgenerallyensurecompliancewiththeCommonwealthPrivacyAct.
AustralianPrivacyPrinciples(APPs)APP1 OpenandtransparentmanagementofpersonalinformationAPP2 AnonymityandpseudonymityAPP3 CollectionofsolicitedpersonalinformationAPP4 DealingwithunsolicitedpersonalinformationAPP5 NotificationofthecollectionofpersonalinformationAPP6 UseordisclosureofpersonalinformationAPP7 DirectmarketingAPP8 Cross-borderdisclosureofpersonalinformationAPP9 Adoption,useordisclosureofgovernmentrelatedidentifiersAPP10 QualityofpersonalinformationAPP11 SecurityofpersonalinformationAPP12 AccesstopersonalinformationAPP13 Correctionofpersonalinformation
AsadoptedwithintheCommonwealthPrivacyAmendment(PrivateSector)Act2000.Wehaveaprivacypolicyinplacethatsetsouthowtomanagehealthinformationandthestepsanindividualmusttaketoobtainaccesstotheirhealthinformation.Thisincludesthedifferentformsofaccessandtheapplicabletimeframesandfees.
ReportsbySpecialists
Thisinformationformspartofthepatient’smedicalrecord,henceaccessispermittedunderprivacylaw.
DiagnosticResults
Thisinformationformspartofthepatient’smedicalrecord,henceaccessispermittedunderprivacylaw.
NOTE:AmendmentstothePrivacyActapplytoinformationcollectedafter21stDecember2001,howevertheyalsoapplytodatacollectedpriortothisdateprovideditisstillinuseandreadilyaccessible.
Werespectindividual’sprivacyandallowaccesstoinformationviapersonalviewinginasecureprivatearea.Thepatientmaytakenotesofthecontentoftheirrecordormaybegivenaphotocopyoftherequestedinformation.AGPmayexplainthecontentsoftherecordtothepatientifrequired.Anadministrativechargemaybeapplied,attheGPsdiscretionandinconsultationwiththePrivacyOfficere.g.forphotocopyingrecord,x-raysandforstafftimeinvolvedinprocessingtherequest.
PracticeProcedure–PatientsRequestforAccesstoPersonalHealthInformation
Anoticeisdisplayedinourwaitingroomadvisingpatientsandothersoftheirrightsofaccessandofourcommitmenttoprivacylegislationcompliance.Aninformationbrochureisalsoavailablethatprovidesfurtherdetailsifrequired.
Releaseofinformationisanissuebetweenthepatientandthedoctor.Informationwillonlybereleasedaccordingtoprivacylawsandatdoctor’sdiscretion.Requestedrecordsarereviewedbythemedicalpractitionerpriortotheirreleaseandwrittenauthorisationisobtained.
RequestReceived
Whenourpatientsrequestaccesstotheirmedicalrecordandrelatedpersonalinformationheldatthispractice,wedocumenteachrequestandendeavourtoassistpatientsingrantingaccesswherepossibleandaccordingtotheprivacylegislation.Exemptionstoaccesswillbenotedandeachpatientorlegallynominatedrepresentativewillhavetheiridentificationcheckedpriortoaccessbeinggranted.Apatientmaymakearequestverballyatthepractice,viatelephoneorinwritingegfax,emailorletter.Noreasonisrequiredtobegiven.Therequestisreferredtothepatient’sdoctorordelegatedprivacyofficer.
Arequestforpersonalhealthinformationiscompletedtoensurecorrectprocessing.
Oncecompletedarecordoftherequestisloggedintheaccessregisterandtheformfiled/scannedinthepatientrecord.
Requestbyanother(notpatient)
Anindividualmayauthoriseanotherpersontobegivenaccess,iftheyhavetherighteglegalguardian,andiftheyhaveasignedauthority.UnderNPP2UseandDisclosure,a‘personresponsible’forthepatient(includingapartner,familymember,carer,guardianorclosefriend),ifthatpatientisincapableofgivingorcommunicatingconsent,mayapplyforandbegivenaccessforappropriatecareandtreatmentorforcompassionatereasons.Identityvalidationapplies.
ThePrivacyActdefines‘apersonresponsible’asaparentoftheindividual,achildorsiblingoftheindividual,whoisatleast18yearsold,aspouseordefactospouse,arelative(atleast18yearsold)andamemberofthehousehold,aguardianorapersonexercisinganenduringpowerofattorneygrantedbytheindividualthatcanbeexercisedforthatperson’shealth,apersonwhohasanintimaterelationshipwiththeindividualorapersonnominatedbytheindividualinacaseofemergency.
Children
Whereayoungpersoniscapableofmakingtheirowndecisionsregardingtheirprivacy,theyshouldbeallowedtodosoaccordingtoFederalPrivacyCommissioner’sPrivacyGuidelines.Thedoctorcoulddiscussthechild’srecordwiththeirparent.Eachcaseisdealtwithsubjecttotheindividual’scircumstances.Aparentwillnotnecessarilyhavetherighttotheirchild’sinformation.
DeceasedPersons
Arequestforaccessmaybeallowedforadeceasedpatient’slegalrepresentativeifthepatienthasbeendeceasedfor30yearsorlessandallotherprivacylawrequirementshavebeenmet.Ref:Sec28HealthRecordsAct.Nomentionismadeofdeceasedpatient’saccessinCommonwealthprivacylegislation.
AcknowledgeRequest
Eachrequestisacknowledgedwithalettersenttothepatient,confirmingrequesthasbeenreceived.Sendtheletterwithin14daysorsoonerasrecommendedbytheNationalPrivacyCommissioner.Acknowledgementwillincludeastatementconcerningchargesinvolvedinprocessingtherequest.
FeesCharged
Discusswiththeindividualwhatinformationtheywantaccessto,andthelikelyfees,beforeundertakingtheirrequestforaccess.
Thefeeswhichanorganisationcanchargeforprovidingaccessmustnotbeexcessiveandmustnotapplytothemerelodgementofarequestforaccess.NationalPrivacyPrinciple(NPP)6.4aimstoprevent
preventorganisationsforusingexcessivechargestodiscourageindividualsfrommakingrequestsforaccesstotheirmedicalrecords.Ifanorganisationincurssubstantialcostsinmeetingarequestforaccess,thentheorganisationcouldchargeareasonablefeetomeettheadministrativecostsinvolved.Forexample,anorganisationcouldrecoversomeofthecostsofphotocopyingorofthestafftimeinvolved.
CollateandAssessInformation
Retrievepatient’shardcopymedicalrecordorarrangeforthetreatingdoctororpracticeprincipletoaccessthecomputerrecord.Refertothepatientrequestformtohelpidentifywhatinformationistobegiventothepatient.
DatamaybewithheldunderprivacylegislationNPP6–AccessandCorrectionforthefollowingreasons:
• Whereaccesswouldposeaseriousthreattothelifeorhealthofanyindividual• Wheretheprivacyofothersmaybeaffected• Ifarequestisfrivolousorvexatious• Ifinformationrelatestoexistingoranticipatedlegalproceedings• Ifaccesswouldprejudicenegotiationswiththeindividual• Ifaccesswouldbeunlawful• Wheredenyingaccessisrequiredorauthorisedbylaw.
SeeNationalPrivacyPrinciplesinfullforacomprehensivelistofexclusionsavailableat:http://www.privacy.gov.au/materials/types/infosheets/view/6583
AccessDenied
Reasonsfordeniedaccessmustbegiventothepatientinwriting.Notetheseontherequestform.Insomecasesrefusalofaccessmaybeinpartorfull.
UseofIntermediarywhenAccessDenied
Ifrequestforaccessisdeniedanintermediarymayoperateasfacilitatortoprovidesufficientaccesstomeettheneedsofboththepatientandthedoctor.
ProvideAccess
Personalhealthinformationmaybeaccessedinthefollowingways:
• Viewandinspectinformation• View,inspectandtalkthroughcontentswiththedoctor• Takenotes• Obtainacopy(canbephotocopyorelectronicprintoutfromcomputer)• Listentoaudiotapeorviewvideo
• Informationmaybefaxedtopatient
CheckIdentityofPatient
• EnsureavisibleformofIDispresentedbythepersonseekingaccessegdriver’slicence,passportorotherphotoidentification.Notedetailsonrequestform
• Doesthepersonhavetheauthoritytogainaccess?Checkage,legalguardiandocuments;ispersonauthorisedrepresentative?
Ifthepatientisviewingthedata,superviseeachviewingsothatpatientisnotdisturbedandnodatagoesmissing.
Ifacopyistobegiventothepatientensureallpagesarecheckedandthisisnotedintherequestform.
Ifthedoctoristoexplainthecontentstoapatientthenensureanappointmenttimeismade.
RequesttoCorrectInformation
Apatientmayasktohavetheirpersonalhealthinformationamendedifhe/sheconsidersthatisnotuptodate,accurateandcomplete(NPP6.5/6.6).
Ourpracticemusttrytocorrectthisinformation.Correctionsareattachedtotheoriginalhealthrecord.
Wherethereisadisagreementaboutwhethertheinformationisindeedcorrect,ourpracticeattachesastatementtotheoriginalrecordoutliningthepatient’sclaim.
TimeFrames
Acknowledgerequest–within14days.Completetherequest–within30days.
PracticePolicy–3rdPartyRequestforAccesstoPersonalHealthInformation
Requestsfor3rdpartyaccesstothemedicalrecordshouldbeinitiatedbyeitherreceiptofcorrespondencefromasolicitororgovernmentagencyorbythepatientcompletingapatientrequestforpersonalhealthinformationform.Whereapatientrequestformandsignedauthorisationisnotobtainedthepracticeisnotlegallyobligedtorelease.
Whererequestsforaccessarerefusedthepatientorthirdpartymayseekaccessunderrelevantprivacylaws.
Anorganisation‘holds’healthinformationifitisintheirpossessionorcontrol.Ifyouhavereceivedreportsorotherhealthinformationfromanotherorganisationsuchasamedicalspecialists,youarerequiredtoprovideaccessinthesamemannerasfortherecordsyoucreate.Ifthespecialisthas
written‘nottobedisclosedtoathirdparty’or‘confidentiality’ontheirreport,thishasnolegaleffectinrelationtorequestsforaccessundertheHealthRecordsAct.Youarealsorequiredtoprovideaccesstorecordswhichhavebeentransferredtoyoufromanotherhealthserviceprovider.
Requestsforaccesstothemedicalrecordandassociatedfinancialdetailsmaybereceivedfromvarious3rdpartiesincluding:
1. Subpoena/courtorder/coroner/searchwarrant2. Relatives/friends/carers3. Externaldoctorsandhealthcareinstitutions4. Police/solicitors5. Healthinsurancecompanies/worker’scompensation/socialwelfareagencies6. Employers7. Governmentagencies8. Accounts/debtcollection9. Students(medicalandnursing)10. Research/qualityassuranceprograms11. Media12. International13. Diseaseregisters14. Telephonecalls
Weonlytransferorreleasepatientinformationtoathirdpartyoncetheconsenttoshareinformationhasbeensignedandinspecificcasesinformedpatientconsenthasmaybesought.Wherepossiblede-identifiedinformationissent.
Ourpracticeteamcandescribetheproceduresfortimely,authorisedandsecuretransferofpatienthealthinformationinrelationtovalidrequests.
PracticeProcedure-3rdPartyRequestforAccesstoPersonalHealthInformation
Thepracticeteamcandescribehowwecorrectlyidentifyourpatientsusing3patientidentifiers,name,anddateofbirth,addressorgendertoascertainwehavethecorrectpatientrecordbeforeentering,actioningorreleasinganythingfromthatrecord.
Patientconsentforthetransferofhealthinformationtootherprovidersoragenciesisobtainedonthefirstvisitandtrainedonfileinanticipationofwhenthismayberequired.
Asarulenopatientinformationistobereleasedtoa3rdpartyunlesstherequestImadeinwritingandprovidesevidenceofasignedauthoritytoreleasetherequestedinformation,toeitherthepatientdirectlyorathirdparty(wherepossiblede-identifieddataisreleased).
Writtenrequestsshouldbenotedinthepatient’smedicalrecordandalsodocumentedinthepractice’srequestregister.Requestsshouldbeforwardedtothedesignatedpersonwithinthepracticeforfollow-up.
Requestedrecordsaretobereviewedbythetreatingmedicalpractitionerorprincipaldoctorpriortotheirreleasetoathirdparty.Whereareportormedicalrecordisdocumentedforreleasetoathirdparty,havingsatisfiedcriteriaforrelease(includingthepatientswrittenconsentandwhereappropriatewrittenauthorisationfromthetreatingdoctor),thenthepracticemayspecifyachargetobeincurredbythepatientorthirdparty,tomeetthecostoftimespentpreparingthereportorphotocopyingtherecord.
Thepracticeretainsarecordofallrequestsforaccesstomedicalinformationincludingtransferstoothermedicalpractitioners.
Wherehardcopymedicalrecordsaresenttopatientsor3rdparties,copiesareforwardednotoriginaldocumentationwhereverpossible.Iforiginalsarerequiredcopiesaremadeincaseofloss.
Securityofanyhealthinformationrequestedismaintainedwhentransferringrequestedrecordsandelectronicdatatransmissionofpatienthealthinformationfromourpracticeisinasecureformat.
Subpoena,courtorderorcoronersearchwarrant
Notethedateofthecourtcaseanddaterequestreceivedinthemedicalrecord.Dependingonwhetheraphysicalorelectroniccopyoftherecordisrequiredfollowproceduresasdescribedabove.
Onoccasionsamemberofstaffisrequiredtoaccompanythemedicalrecordtocourtoralternativelyasecurecourierservicemaybeadequate.Iftheoriginalistobetransported,ensureacopyismadeincaseoflossoftheoriginalduringtransport.Ensurethattherecordisreturnedafterreviewbythecourt.
Relatives/Friends
Apatientmayauthoriseanotherpersontobegivenaccessiftheyhavethelegalrightandasignedauthority.
In2008theAustralianLawReformCommissionrecognisedthatdisclosureofinformationto‘apersonresponsibleforanindividual’canoccurwithincurrentprivacylaw.Ifasituationariseswhereacarerisseekingaccesstoapatient’shealthinformation,practicesareencouragedtocontacttheirmedicaldefenceorganisationforadvicebeforesuchaccessisgranted.
Individualrecordsareadvisedforallfamilymembersbutespeciallyforchildrenwhoseparentshaveseparatedwherecaremustbetakenthatsensitivedemographicinformationrelatingtoratherpartnerisnotrecordedonthedemographicsheet.Significantcourtordersrelatingtocustodyandguardianshipshouldberecordedasanalertonthechildren’srecords.
ExternalDoctorsandHealthCareInstitutions
Directthequerytothepatient’sdoctorandorthepracticemanager/principledoctor
Police/Solicitors
Policeandsolicitorsmustobtainacasespecificsignedpatientconsent(orsubpoena,courtorderorsearchwarrant)forreleaseofinformation.Therequestisdirectedtothedoctor.
HealthInsuranceCompanies/WorkersCompensation/SocialWelfareAgencies
Dependingonthespecificcircumstancesinformationmayneedtobeprovided.Itisrecommendedthattheserequestsarereferredtothedoctor.
Itisimportantthatorganisationstellindividualswhatcouldbedonewiththeirpersonalhealthinformationandifitiswithinthereasonableexpectationofthepatientthenpersonalhealthinformationmaybedisclosed.Doctorsmayneedtodiscusssuchrequestswiththepatientandperhapstheirmedicaldefenceorganisation.
Employers
Ifthepatienthassignedconsenttoreleaseinformationforapre-employmentquestionnaireorsimilarreportthendirecttherequesttothetreatingdoctor.
GovernmentAgencies
Medicare/DepartmentofVeteransAffairs-dependingonthespecificcircumstancesinformationmayneedtobeprovided.Itisrecommendedthatdoctorsdiscusssuchissueswiththemedicaldefenceorganisations.
StateRegisterorBirths,DeathsandMarriages–deathcertificatesareusuallyissuedbythetreatingdoctor
Centrelink–TherearealargenumberofCentrelinkforms(treatingdoctor’sreports)whichareusuallycompletedinconjunctionwiththepatientconsultation.
Accounts/DebtCollection
Thepracticemustmaintainprivacyofpatient’sfinancialaccounts.Accountsarenotstoredorleftvisibleinareaswheremembersofthepublichaveunrestrictedaccess.
Accountsmustnotcontainanyclinicalinformation.Invoicesandstatementsshouldbereviewedpriortoforwardingtothirdpartiessuchasinsurancecompaniesordebtcollectionagencies.
Outstandingaccountqueriesordisputesshouldbedirectedtothepracticemanager/bookkeeperorprincipal.
Students(MedicalandNursing)
Thispracticedoesnotparticipateinmedical/nursingstudenteducation.Thepracticeacknowledgesthatsomepatientsmaynotwishtohavetheirpersonalhealthinformationaccessedforeducationalpurposes.Thepracticealwaysadvisespatientsofimpendingstudentinvolvementinpracticeactivitiesandseekstoobtainpatientconsentaccordingly.Thepracticerespectsthepatient’srighttoprivacy.
Researchers/QualityAssurancePrograms
Wherethepracticeseekstoparticipateinhumanresearchactivitiesand/orcontinuousqualityimprovement(CQI)activities,patientanonymitywillbeprotected.Thepracticewillalsoseekandretainacopyofpatientconsenttoanyspecificdatacollectionforresearchpurposes.Researchrequestsaretobeapprovedbythepracticeprincipal,practicepartnersandmusthaveapprovalfromaHumanResearchEthicsCommittee(HREC)constitutedundertheNH&MRCguidelines.Acopyofthisapprovalwillberetainedbythepractice.
Practiceaccreditationisarecognisedpeerreviewprocessandthereviewingofmedicalrecordsforaccreditationpurposeshasbeendeemedasa‘secondarypurpose’bytheOfficeoftheFederalPrivacyCommissioner.Asaconsequencepatientsarenotrequiredtoprovideconsent.
Patientsshouldbeadvisedofthewaysinwhichtheirhealthinformationmaybeused(includingforaccreditationpurposes)viaasigninthewaitingroomandthepracticeinformationbrochure.
Media
Pleasedirectallenquiriestothepracticemanager/principal.Staffmustnotreleaseanyinformationunlessithasbeenauthorisedbythepracticemanager/principalandpatientconsenthasbeenobtained.
International
Wherepatientconsentisprovidedtheninformationmaybesentoverseashoweverthepracticeisundernoobligationtosupplyanypatientinformationonreceiptofaninternationalsubpoena(NPP9–TransborderDataFlows).
DiseaseRegisters
Thispracticesubmitspatientdatatovariousdiseasespecificregisters(cervical,breast,bowelscreeningetc)toassistwithpreventativehealthmanagement.Consentisrequiredfromthepatientwiththeoptionofoptinginoroptingout.Patientsareadvisedofthisviaasigninthewaitingareaandinthepractice’sinformationleaflet.
TelephoneCalls
Requestsforpatientinformationaretobetreatedwithcareandnoinformationistobegivenoutwithoutadherencetothefollowingprocedure:
1. Takethetelephonenumber,nameandaddressofthepersoncalling2. Forwardthisontothetreatingdoctor/principalorthepracticemanagerwhereappropriate.
PracticePolicy–CollectionandManagementofPersonalHealthInformation
AustralianPrivacyPrinciple1requiresourpracticetohaveadocumentthatclearlysetsoutitspoliciesonhandlingpersonalinformation,includinghealthinformation.
Thisdocument,commonlycalledaprivacypolicy,outlineshowwehandlepersonalinformationcollected(includinghealthinformation)andhowweprotectthesecurityofthisinformation.Itmustbemadeavailabletoanyonewhoasksforitandpatientsaremadeawareofthis.
Thecollectionstatementinformspatientsabouthowtheirhealthinformationwillbeusedincludingotherorganisationstowhichthepracticeusuallydisclosespatienthealthinformationandanylawthatrequirestheparticularinformationtobecollected.Patientconsenttothehandlingandsharingofpatienthealthinformationshouldbeprovidedatanearlystageintheprocessofclinicalcareandpatientsshouldbemadeawareofthecollectionstatementwhengivingconsenttosharehealthinformation.
Ingeneral,qualityimprovementorclinicalauditactivitiesforthepurposeofseekingtoimprovethedeliveryofaparticulartreatmentorservicewouldbeconsideredadirectlyrelatedsecondarypurposeforinformationuseordisclosuresowedonotneedtoseekspecificconsentforthisuseofpatients’healthinformation,howeverweincludeinformationaboutqualityimprovementactivitiesandclinicalauditsinthepracticepolicyonmanaginghealthinformation.
PracticeProcedure–CollectionandManagementofPersonalHealthInformation
Weinformourpatientsaboutourpractice’spoliciesregardingthecollectionandmanagementoftheirpersonalhealthinformationvia:
• Asignatreception• Brochure/sinthewaitingarea• Ourpatientinformationsheet
• Newpatientforms–“Consenttoshareinformation”• Verballyifappropriate• Thepracticewebsite.
Theprivacypolicyshouldoutline:
• Thepractice’scontactdetails• Whatinformationiscollected• Whyinformationiscollected• Howthepracticemaintainsthesecurityofinformationheldatthepractice• Therangeofpeoplewithinthepracticeteam(egGPs,practicenurses,GPRegistrars,students
andalliedhealthprofessionals),whomayhaveaccesstopatienthealthrecordsandthescopeoftheaccess
• Theproceduresforpatientstogainaccesstotheirownhealthinformationonrequest• Thewaythepracticegainspatientconsentbeforedisclosingtheirpersonalhealthinformationto
thirdparties• Theprocessofprovidinghealthinformationtoanothermedicalpracticeshouldpatientsrequest
that• Theuseofpatienthealthinformationforqualityassurance,researchandprofessional
development• Theproceduresforinformingnewpatientsaboutprivacyarrangements• Thewaythepracticeaddressescomplaintsaboutprivacyrelatedmatters• Thepractice’spolicyforretainingpatienthealthrecords.
A‘collectionstatement’setsoutthefollowinginformation:
• Theidentityofthepracticeandhowtocontactit• Thefactthatpatientscanaccesstheirownhealthinformation• Thepurposeforwhichtheinformationiscollected• Otherorganisationstowhichthepracticeusuallydisclosespatienthealthinformation• Anylawthatrequirestheparticularinformationtobecollected(egnotifiablediseases)• Themainconsequencefortheindividualifimportanthealthinformationisnotprovided.
Priortoapatientsigningconsenttothereleaseoftheirhealthinformationpatientsaremadeawaretheycanrequestafullcopyofourprivacypolicyandcollectionstatement.
Patientconsentforthetransferofhealthinformationtootherprovidersoragenciesisobtainedonthefirstvisit.Acopyofourconsentformisincludedbelow.Oncesignedthisformisscannedintothepatient’srecordanditscompletionnoted.
NOTE:Consentfortransferofinformationdiffersfromproceduralconsent.
PracticePolicy–TransferofHealthInformation
Transferofmedicalrecordsfromthispracticecanoccurinthefollowinginstances:
• Formedico-legalreasonsegrecordissubpoenaedtocourt• Whenapatientasksfortheirmedicalrecordtobetransferredtoanotherpractice,dueto
movingresidenceorforotherreasons• Whereanindividualmedicalrecordreportisrequestedfromanothersource• Wherethedoctorisretiringandthepracticeisclosing.
Ourpracticeteamcandescribetheproceduresfortimely,authorisedandsecuretransferofpatienthealthinformationtootherprovidersandinrelationtovalidrequests.
PracticeProcedure–TransferofHealthInformation
RequestsforTransferofMedicalRecordsforMedico-legalReasons
Referto3rdPartyrequestsforaccesstomedicalrecords/healthinformationabove.
ReceivingaRequesttoTransferMedicalRecordstoaPatient’sNewClinic
Inaccordancewithstateandfederalprivacyregulations,arequesttotransfermedicalrecordsmustbesignedbythepatientgivingusauthoritytotransfertheirrecords.
Therequestformshouldcontain:
• Thenameofthereceivingpractitionerorpractice• Thename,address(bothcurrentandformerifapplicable)anddateofbirththepatientwhose
recordisrequired• Thereasonfortherequest.
Whenfulfillingarequest,thispracticemaychoosetoeither:
• Prepareasummaryletter(manuallyorviaclinicalsoftware)andincludecopiesofrelevantcorrespondenceandresultspertinenttotheongoingmanagementofthepatient
• Makeacopyofthemedicalrecordanddispatchthecopytothenewpractice,retainingtheoriginalonsiteforaminimumof7years.
Therequestingclinicisadvisedifweproposetotransferasummaryoracopyofthefullmedicalrecord.Iftheyhaveapreferencetheformatcanbenegotiatedortheycanchoosenottoproceedwiththetransferandseekacopythroughaseparateaccessrequest.
Ifthereisgoingtobeanyexpensesrelatedtothetransfertherequestingclinicisadvisedpriortosendingthemedicalrecordsandoncethefeehasbeenpaidweprocesstherequestassoonaspossible.Anychargesmustnotexceedtheprescribedmaximumfee.
Thepatient’ssignedrequestletter/formandanotationthatthepatienthastransferredismadeonthemedicalrecord.Includethenameandaddressofthenewpracticeandthedispatchdetails(egviaprioritymailorconfidentialcourierorinanelectronicform).
Electronicdatatransmissionofpatienthealthinformationfromourpracticeisinasecureformat.
NOTE:Thereareanumberofwaystheinformationcanbetransferred,dependingontherequestfromthepatientandclinic:viasecurepost;encryptedemail(ifcomputerisedrecords)or,ifthepracticeisreleasingcopiesoftheentirerecordandthepatientrequestsaccess(HealthRecordsAct),thepracticemaywishtomakeanappointmenttimewiththepatienttoofferanappropriateexplanationandcounselfromtheGPorasanalternativemaychoosetosupplyasummaryofthehistory.
Allreasonablestepsaretakentoprotectthehealthinformationfromlossandunauthoriseddisclosureduringthetransfer.
Thispracticedoesnotallowindividualstocollectthefileandtakeittotheirnewprovider.
MakingaRequestforaPatientMedicalRecordfromanotherSource
Accesstoanewpatient’spreviousrecordcanassistwithmaintainingthecontinuityofcareofthepatient.
Whenrequestingrecordsfromanotherclinicastandardrequestfortransferofmedicalrecordstemplate(seesamplebelow)shouldbeused.
Thisshouldcontain:
• Thepatient’sdetails,thepatientshouldbeidentifiedbyname,address(bothcurrentandformerifapplicable)anddateofbirth
• Thereasonforrequestincludingthenameofthedoctormakingtherequest• Therequestfortransferofpatientfilesshouldbeauthorisedbythepatient
Ifthefileswillberequestedelectronically,specificdetailsoftheformatneedstobeincludedsuchasHTMLorXML.
Iftheclinicadvisesyouthatthepatientsarelikelytoincuroutofpocketexpensesrelatedtotransfer,pleaseadvisethepatientpriortoacceptingthetransferredmedicalrecords.
Whenadoctorisretiringandthepracticeisclosing
ThecorrectprocessforhandlingpatienthealthinformationontheclosureofapracticeisavailableintheOFPCGuidelinesatwww.privacy.gov.au/materials/types/guidelines/view/6517.
Thefollowingfactsheetmaybeuseful:Transfer/closureofapracticeorbusinessofahealthserviceproviderhttp://www.health.vic.gov.au/hsc/infosheets/closure.pdf
NOTE:Ahealthserviceproviderwhohasadisputewithanorganisationinrelationtoarequesttoaccesshealthinformationcannotcomplainonbehalfofthepatient.
Acomplaintmustbeledgedinwriting,bythepatientwiththeHealthServicesCommissioner(HSC).Asamplecomplaintformcanbefoundbelow.Adetailedletterisalsorequired.
PracticePolicy–Research
Researchactivity,bothwithinthepracticeandthroughreputableexternalbodiesisencouraged.
Patientsconsentisessentialforinvolvementinresearchprojects.Wheneveranymemberofourpracticeteamisconductingresearchinvolvingourpatients,wecandemonstratethattheresearchhasappropriateapprovalfromanethicscommittee.Theresearchprotocol,consentproceduresandprocessforresolvingproblemsshouldberetainedbythepractice.
Researchactivitiesaredistinctfromauditsundertakenbythepracticeaspartofqualityimprovementactivities.ResearchprojectsrequireapprovalfromanEthicscommitteebut“inhouse”practiceauditsdonot.
Whenwecollectpatienthealthinformationforqualityimprovementauditsorprofessionaldevelopmentactivities,weonlytransferdeidentifiedpatienthealthinformationtoathirdpartyonceinformedpatientconsenthasbeenobtained.
Privacyandconfidentialityisparticularlyimportantespeciallywhenconsideringinvolvementincommercialmarketresearchactivities.
Ourpracticeconsidershowidentifiabletheirpatientinformationwillbeusingthefollowing:
• Identifiablepatientinformation–bywhichindividualpatientscanbeidentified• De-identifiedpatientinformation–whichcannotbetracedbacktotheindividual• Potentiallyidentifiableinformation–couldpossiblybetracedbacktoindividualsorgroupsof
individuals
PracticeProcedure–Research
Researchprojectsinvolvingpatientcare
• Musthavetheexplicitanddocumentedwrittenconsentofthepatient• Thepatientmustreceiveawrittenandoralexplanationabouttheresearchandbeableto
withdrawconsentatanytime• Theprojectmustbeapprovedbyarelevanthumanresearchethicscommittee(HREC)
establishedundertheNH&MRCguidelines• Privacylawsmustbeadheredto.
Researchprojectsinvolvingresearchorclinicalauditsusingde-identifieddatashouldideallyhavepatientsconsent.Thiscanbeinmoregeneraltermssuchasbywaitingroomnoticeorpracticeinformationsheet.
• Extremecaremustbetakennottoallowpatientidentificationfromsmalland/orunusualcohorts
ForQI&CPDactivitiesthatrequirethetransferofpatientinformationoutsidethepractice(egNPSactivities)weneedto:
• EnsuretheactivitycomplieswithrelevantguidelinesonQI&CPD(issuedbyanappropriatespecialistmedicalcollege)
• Ensuretheactivityisapprovedbythatcollege• RetainacopyoftheQI&CPDapprovalfortheactivity• Obtainpatientconsentiftransferringidentifiablepatientinformation
Thepracticeshouldretainarecordoftherequestforparticipationinanyresearchproject,includingtheresearchprotocol,consentproceduresandprocessforresolvingproblemsshouldberetainedbythepractice.
NarreWarrenMedicalCentreConsentFormfortheCollectionofPersonalHealthInformation
NarreWarrenMedicalCentre2MalcolmCourt NarreWarren [email protected]
NarreWarrenMedicalCentre
Require your consent to collect person information about you. Please read this consent formcarefully,andsignwhereindicatedbelow.
NarreWarrenmedical Centre collects information from you for the primary purpose of providingquality health care. We require you to provide us with your personal details and a full medicalhistorysothatwemayproperlyassess,diagnose,treatandbeproactiveinyourhealthcareneeds.Thismeanswewillusetheinformationyouprovideinthefollowingways:
• Administrativepurposesinrunningourmedicalpractice• Billing purposes, including compliance with Medicare and Health Insurance Commission
requirements• Disclosure to others involved in your healthcare including treating doctors and specialists
outside thismedicalpractice.Thismayoccur through referral tootherdoctors,or formedicaltestsandinthereportsorresultsreturnedtousfollowingreferrals
• Disclosuretootherdoctorsinthepractice,locumsetcattachedtothepracticeforthepurposeofpatientcareand teaching.Please letusknow ifyoudonotwantyour recordsaccessed forthesepurposes,andwewillnotinyourrecordaccordingly
• Disclosure for research and quality assurance activities to improve individual and communityhealthcareandpracticemanagement,allinformationintheseinstancesisun-identified.Youwillbeinformedwhensuchactivitiesarebeingconductedandgiventheopportunityto“optout”ofanyinvolvement
I have read the information above and understand the reasons why my information must becollected.IamalsoawarethatthispracticehasaprivacypolicyonhandlingPatientInformation.
IunderstandthatIamnotobligedtoprovideanyinformationrequestedofme,butfailuretodosomaycompromisethequalityofhealthcareandtreatmentgiventome.
Iamawareofmyrightstoaccesstheinformationcollectedaboutme,exceptinsomecircumstanceswhereaccessmaybelegitimatelywithheld.Iwillbegivenanexplanationinthesecircumstances.
Iunderstandthatifmyinformationistobeusedforanyotherpurposeotherthansetoutabove,myfurtherconsentwillbeobtained.
Iconsenttothehandlingofmyinformationbythepracticeforthepurposesetoutabove,subjecttoanylimitationsonaccessordisclosureofwhichInotifythispractice.
Name……………………………………………………………………Signed…………………………………………………………………
NameofGuardian(forchild)……………………………….Signed…………………………………………………………………..
Date…………………………………………………………………………………………………………………………………………………….
NWMCRequestforPersonalHealthInformation
NarreWarrenMedicalCentre2MalcolmCourt NarreWarren [email protected]
PatientDetails
Familyname…………………………………………………………………….GivenName/s…………………………………………………………..
Address……………………………………………………………………………………………………………………………………………………………….
DateofBirth……………./……………/……………………………………..
Applicantifnotthepatient………………………………………………Relationshiptopatient…………………………………………….
HealthInformationRequested
!Pathologyresults Specifydate/s……………………………………………………………………………....!X-rayresults Specifydate/s………………………………………………………………………………..!Othertestresults Pleasespecify…………………………………………………………………………………!Asummaryofmyhealthrecord!HealthRecord-detailed!CurrentMedications
!Correspondenceonfile!Other,pleasegivedetails ……………………………………………………………………………………………………...…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
Howwouldyouliketoreceivethisinformation?
!Viewandinspectinformation.Iwillmakeatimeatreception!View,inspectanddiscusscontentswithmydoctor.Iwillmakeanappointmentatreception!Obtainacopy-collect!Obtainacopy–sendviamail!Obtainacopy–viaFaxNo……………………………………………………………………………………………………………………………..!Obtainacopy–viaEmail……………………………………………………………………………………………………………………………….Note:Privacyrequirementsallowthedoctorincertaincircumstancestorestrictthereleaseofmedicalrecords.
Chargingpolicy–feesmaybechargedforaccess.Pleaserequestinformationaboutyourchargingpolicy.
SignatureofApplicant………………………………………………………………………………………Date………./………./……………………
OfficeUseOnly–StafftoInitialandDateEachEntry!Daterequestreceived………./………./………. !AcknowledgementDate………./………./…………..!Identificationverifiedknowntostaff/license/passport/other…………………………………………………………………..!Appointmentmadewithdoctor!Yes!No Date………./………/………. Time:!Patienttocollect? ExpectedDate………./…………/……….!Doctoradvisedpriortorelease !Notedinpatientrecord!Recordcheckedandreadyforpatient !Dataremoved/deleted !Yes!No!Methodofaccess:view/view&Dr/copy&collect/copy&send……………………………………………………………….!FeesCharged !Yes !No Amount$...............(excludeGST)FeesReceived$……....!Accessprocesscompleted(recordviewed/sent) Date………./………./……….
RequestforMedicalRecordsTransfer
NarreWarrenMedicalCentre2MalcolmCourt NarreWarren [email protected]
Date………./………./………..
DearDr……………………………………………………..,
PracticeDetails………..………………………………………………………………………………………….……………………………………………..
PatientsFullName………………………………………………………………………………………………………..………DOB………/………/……..
OtherFamilyMembers(ifunder18yearsofage)PatientFullName………………………………………………………………………………………….…………….DOB………./………./………..
Address………………………………………………………………………………………………………..……………………………………………………..
PatientFullName………………………………………………………………………………………….…………….DOB………./………./………..
Address………………………………………………………………………………………………………..……………………………………………………..
PatientFullName………………………………………………………………………………………….…………….DOB………./………./………..
Address………………………………………………………………………………………………………..……………………………………………………..
Theabovementionednowattendsthispractice.Toassistintheirfuturemedicalmanagementwouldyoupleasekindlyforward(tickoption):!Theirclinicalrecords!Anaccuratehealthsummary,withrelevantcorrespondenceandresults!DetailsofanyCDMorPIPitemsclaimedwithinthelast2years(GPMP)
Theserecordscanbeforwardedbymail,fax,encryptedemail(PKI),non-rewriteableCD.Electronicversionshouldbe!HTML !XML
YoursSincerely,
Doctor…………………………………………………………………………………………………………………………………..……….(NameofGP)
Patient’sSignedAuthority
I,…………………………………………………………………………………………………………………………………………..(Patientsfullname)
Of………………………………………………………………………………………………………………………………………………………………….……(Patientscurrentaddressanddateofbirth)
Formerlyof…………………………………………………………………..…………………………………………………………………………………….(Patientsformeraddressifapplicable)
Authorisethereleaseofmy/myfamiliesmedicalrecordstotheforwardedto<InsertClinicName>
Signed……………………………………………………………………………………………………………………..Date………../………./………….