This practice is bound by the Federal Privacy Act 1998 and National Privacy Principles, and also complies with the Privacy Amendment (Private Sector) Act 2000.
‘Personal health information’ is a particular subset of personal information and can include any information collected to provide a health service.
This information includes medical details, family information, name, address, employment and other demographic data, past medical and social history, current health issues and future medical care, Medicare number, accounts details and any health information such as a medical or personal opinion about a person’s health, disability or health status.
It includes the formal medical record whether written or electronic and information held or recorded on any other medium e.g. letter, fax, or electronically or information conveyed verbally.
Our practice has engaged an independent consultant as a designated contact IT&T 2/81 Keira Street Wollongong +61242289555 www.itt.com.au) with primary responsibility for the practice’s electronic systems, computer security and adherence to protocols as outlined in our Computer Information Security policy (Refer 6.1.1). Tasks may be delegated to others and this person works in consultation with the Practice Manager and Principal, particularly in terms of implementing staff education and ensuring adherence to protocols.
Our Security policies and procedures regarding the confidentiality of patient health records and information are documented and our practice team are informed about these at induction and when updates or changes occur.
The practice team can describe how we correctly identify our patients using 3 patient identifiers, name, and date of birth, address or gender to ascertain we have the correct patient record before entering or actioning anything from that record.
For each patient we have an individual patient health record, electronic, containing all clinical information held by our practice relating to that patient. The Practice ensures the protection of all information contained therein. Our patient health records can be accessed by an appropriate team member when required. We also ensure information held about the patient in different records (e.g. at a residential aged care facility) is available when required.
Doctors, allied health practitioners and all other staff and contractors associated with this Practice have a responsibility to maintain the privacy of personal health information and related financial information. The privacy of this information is every patient’s right.
The maintenance of privacy requires that any information regarding individual patients, including staff members who may be patients, may not be disclosed either verbally, in writing, in electronic form, by copying either at the Practice or outside it, during or outside work hours, except for strictly authorised use within the patient care context at the Practice or as legally directed.
There are no degrees of privacy. All patient information must be considered private and confidential, even that which is seen or heard and therefore is not to be disclosed to family, friends, staff or others without the patient’s approval. Sometimes details about a person’s medical history or other contextual information such as details of an appointment can identify them, even if no name is attached to that information. This is still considered health information and as such it must be protected under the Privacy Act 1998.
Any information given to unauthorised personnel will result in disciplinary action and possible dismissal. Each staff member is bound by his/her privacy clause contained with the employment agreement which is signed upon commencement of employment at this Practice (Refer Section 2).
Personal health information should be kept where staff supervision is easily provided and kept out of view and access by the public e.g. not left exposed on the reception desk, in waiting room or other public areas, or left unattended in consulting or treatment rooms.
Practice computers and servers comply with the RACGP computer security checklist and we have a sound back up system and a contingency plan to protect the practice from loss of data (Refer 6.1.1 Computer information security).
Care should be taken that the general public cannot see or access computer screens that display information about other individuals. To minimise this risk automated screen savers should be engaged, or computers shut down.
Members of the practice team have different levels of access to patient health information (Refer Section 6 Compute Information security). To protect the security of health information, GPs and other practice staff do not give their computer passwords to others in the team.
Reception and other practice staff should be aware that conversations in the main reception area can often be overheard in the waiting room and as such staff should avoid discussing confidential and sensitive patient information in this area.
Whenever sensitive documentation is discarded the practice uses an appropriate method of destruction (shredding).
Electronic information is transmitted over the public network in an encrypted format using secure messaging software. Where medical information is sent by post the use of secure postage or a courier service is determined on a case by case basis.
Incoming patient correspondence and diagnostic results are opened by a designated staff member.
Items for collection or postage are left in a secure area not in view of the public.
Facsimile, printers and other electronic communication devices in the practice are located in areas that are only accessible to the general practitioners and other authorised staff. Faxing is point to point and will therefore usually only be transmitted to one location
All faxes containing confidential information are sent to fax numbers after ensuring the recipient is the designated receiver.
Write, “Confidential” on the fax coversheet
Check the number dialled before pressing ‘SEND’
Keep the transmission report produced by the fax as evidence that the fax was sent. Also confirm the correct fax number on the report.
Faxes received are managed according to incoming correspondence protocols
The practice uses a fax disclaimer notice on outgoing faxes that affiliates with the practice.
“This message is intended for the addressee named. It may contain confidential information. If you are not the intended recipient, please delete it and notify the sender.
Emails are sent via various nodes and are at risk of being intercepted. Patient information may only be sent via email if it is securely encrypted according to industry and best practice standards.
Patient privacy and security of information is maximised during consultations by closing consulting room doors. All Examination couches, including those in the treatment room, have curtains or privacy screens.
When, consulting, treatment room or administration office doors are closed prior to entering staff should either knock and wait for a response or alternatively contact the relevant person by internal phone or skype.
Where locks are present on individual rooms these should not be engaged except when the room is not in use
It is the doctor’s/health care professional’s responsibility to ensure that prescription paper, sample medications, medical records and related personal patient information is kept secure, if they leave the room during a consultation or whenever they are not in attendance in their consulting/treatment room.
The physical medical records and related information created and maintained for the continuing management of each patient are the property of this Practice. This information is deemed a personal health record and while the patient does not have ownership of the record he/she has the right to access under the provisions of the Commonwealth Privacy and State Health Records Acts. Requests for access to the medical record will be acted upon only if received in written format.
Our patient health records can be accessed by an appropriate team member when required.
Our Practice ensures the protection of all information contained in medical records by password access only. Records held at Residential Aged Care Facilities can be accessed by the GP.
Both active and inactive patient health records are kept and stored securely.
A patient health record may be solely electronic, solely paper based, or a combination (hybrid) of paper and electronic records
Our practice is considered paperless and has systems in place to protect the privacy, security, quality and integrity of the personal health information held electronically. Appropriate staff members are trained in computer security policies and procedures.