RESPECTING THE PRIVACY OF YOUR HEALTH INFORMTION
Personal health information is a particular subset of personal information and can include any information collected about a person in order to provide a health service.
The information we collect about a patient can include medical details, family information, name, address, employment and other demographic data, past medical and social history, current health issues and future medical care, Medicare number, accounts details, and any health information such as a medical or personal opinion about a person’s health, disability or health status.
Personal health information also includes the formal health record (written or electronic) and information held or recorded on any other medium (e.g. letter, facsimile, electronic, verbal).
As an Australian-based organisation, any data and information collected is held, used and disclosed in accordance with the Privacy Act 1988.
Our security policies and procedures regarding the confidentiality of patient health records and other personal information are documented and our practice team are informed about these at induction and when updates or changes occur.
The practice team can describe how we correctly identify our patients using three (3) patient identifiers to ascertain we have selected the correct patient record before entering or actioning anything from that record.
For each patient we have an individual patient health record containing all clinical information held by our practice relating to that patient. Our practice ensures the protection of all information contained within these files. Our patient health records are accessed only by an appropriate team member as required, and we ensure information held about the patient in different records (e.g. at a residential aged care facility) is available when required.
If a breach of privacy occurs within our practice, we have processes in place to ensure this breach is reported appropriately, handled quickly and effectively, and reviewed to prevent recurrence.
Breaches occur if personal patient information held by the practice is accessed by or disclosed to unauthorised personnel (such as hackers, incorrect recipients or contractors visiting the practice), or is lost entirely by the practice.
Our practice has appointed Dr Anthony Kresevic (Practice Principal) with responsibility for ensuring the privacy and security of personal health information held within our practice.
This includes managing the practice’s electronic systems, computer security and adherence to protocols. Our general practitioners, clinical and allied health team members and all other staff and contractors associated with this practice have a responsibility to maintain the privacy of personal health information and related financial information; the privacy of this information is every patient’s right.
The maintenance of privacy requires that any information regarding individual patients (including practice team members who may be patients) may not be disclosed either verbally, in writing or by copying it either at the practice or outside it, during or outside normal opening hours, except for strictly authorised use within the patient care context at the practice or as legally directed.
There are no degrees of privacy. All patient information must be considered private and confidential, even that which is seen or heard and therefore must not to be disclosed to family, friends, members of the practice team not involved in that patient’s care, or any other people without the patient’s approval.
Details about a person’s medical history or other contextual information such as details of an appointment can sometimes still identify them, even if no name is attached to that information. This is still considered personal information and as such it must be protected in accordance with the Privacy Act 1988.
Any information given to unauthorised persons will result in disciplinary action and possible dismissal. Each member of our practice team is bound by a confidentiality agreement, which is signed upon commencement of working at our practice.
Edmonton Family Medical Centre understands the importance of protecting patient information at all costs. However, in the event that a data breach does occur, our practice complies with the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breach (NBD) Scheme where notification must be made where the breach is deemed ‘eligible’ for notification.
An eligible data breach is when there is evidence of unauthorised access, unauthorised disclosure, or loss of personal health information; the breach is likely to result in serious harm to one or more individuals; and the practice has not been able to prevent the risk of harm through remedial actions.
If all three of these criteria are filled, Edmonton Family Medical Centre reports the breach to the OAIC using the Notifiable Data Breach Form available from their website. We then ensure we have notified any patients or personnel affected by the breach, as well as our medical indemnity insurer and all practice GPs’ personal insurance providers.
For breaches relating to My Health Record, the Australian Digital Health Agency will also need to be notified in addition to the notification made to the OAIC.
Upon notification of the breach and all possible remedial action being taken by the practice, our practice logs the incident within our incident register for review at the next practice team meeting or, if the data breach is significant, at a specifically arranged meeting as soon as possible.
Any changes to systems or processes as a result of a breach are communicated to the practice team and are regularly monitored to ensure the changes remain in place and are effective for preventing a recurrence of the incident.
The management of all practice computers and servers comply with the RACGP’s Information Security in General Practice guidelines and we have a sound backup system and a contingency plan to protect the practice from loss of data.
Members of the practice team have different levels of access to patient personal health information as appropriate to their roles.
There are risks associated with electronic communication in that the information could be intercepted or read by someone other than the intended recipient. Email communications with other healthcare providers is undertaken securely through the use of encryption. Email communication with patients is discouraged; however, where initiated by the patient, the risks are communicated and patient consent is obtained.
Facsimile, printers and other electronic communication devices in the practice are located in areas that are only accessible to the general practitioners and other authorised team members.
Patient privacy and security of information is maximised during consultations by closing the consulting room doors. When the consulting, treatment room or administration office doors are closed, practice team members must ensure they knock and wait for a response prior to entering.
The physical health records and related information created and maintained for the continuing management of each patient are the property of this practice. This information is deemed a personal health record and while the patient does not have ownership of the record, he/she has the right to access under the provisions of the Privacy Act 1988. Requests for access to a patient’s health record will be acted upon only if the request is received in written format.
Both active and inactive patient health records are kept and stored securely.
A patient health record may be solely electronic, solely paper-based, or a combination (hybrid) of paper and electronic records.
Our practice is considered paperless and has systems in place to protect the privacy, security, quality and integrity of the personal health information held electronically. Appropriate team members are trained in computer security policies and procedures.