Confidentiality and Privacy Policy

Purpose

To ensure patients who receive care from the Practice are comfortable in entrusting their health information to the Practice. This policy provides information to patients as to how their personal information (which includes their health information) is collected and used within the Practice, and the circumstances in which we may disclose it to third parties. All information collected by this practice is deemed to be private and confidential. The right of every patient is respected.

This practice complies with federal and New South Wales (NSW) privacy regulations including the Privacy Act 1988 and Privacy Amendment (Enhancing Privacy Protection) Act 2012 as well as complying with standards set out in the RACGP Handbook for the management of health information in general practice (3rd edition).

Under no circumstances are members of the practice team to discuss or in any way reveal patient conditions or documentation to unauthorised staff, colleagues, other patients, family or friends, whether at the practice or outside it, such as in the home or at social occasions. This includes patient’s accounts, referral letters or other clinical documentation. 

General practitioners and other practice team members are aware of confidentiality requirements for all patient encounters, and recognise that significant breaches of confidentiality may provide grounds for disciplinary action or dismissal.

Every member of the practice team is aware of our Privacy Policy and has signed a privacy statement as part of their terms and conditions of employment or contract. This privacy statement continues to be binding even after the employment or contract has terminated.

Our practice has appointed a designated person with primary responsibility for the practice’s electronic systems, computer. This responsibility is documented in their position description. Specific tasks may be delegated to others and this person works in consultation with the privacy officer.

The practice team can describe how we correctly identify our patients using three (3) patient identifiers to ascertain we have selected the correct patient record before entering or actioning anything from that record.

The management of all practice computers and servers comply with the RACGP’s Computer and information security standards (CISS) (2nd edition), and we have a sound backup system and a contingency plan to protect the practice from loss of data.

Members of the practice team have different levels of access to patient personal health information as appropriate to their roles and, to maintain security all computer hardware and software passwords are kept confidential and are not disclosed to others.

Background and rationale

The APP provide a privacy protection framework that supports the rights and obligations of collecting, holding, using, accessing and correcting personal information. The APP consists of 13 principle-based laws and apply equally to paper-based and digital environments. The APP complements the long-standing general practice obligation to manage personal information in a regulated, open and transparent manner.

This policy will guide Practice staff in meeting these legal obligations. It also details to patients how the Practice uses their personal information. The policy must be made available to patients upon request.

Policy

The Practice will:

• provide a copy of this policy upon request
• ensure staff comply with the APP and deal appropriately with inquiries or concerns
• take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints
• collect personal information for the primary purpose of managing a patient’s healthcare and for financial claims and payments.

Staff responsibility

The Practice’s staff will take reasonable steps to ensure patients understand:

• what information has been and is being collected
• why the information is being collected, and whether this is due to a legal requirement
• how the information will be used or disclosed
• why and when their consent is necessary
• the Practice’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy.

Patient consent

The Practice will only interpret and apply a patient’s consent for the primary purpose for which it was provided. The Practice staff must seek additional consent from the patient if the personal information collected may be used for any other purpose.

Collection of information

The Practice will need to collect personal information as a provision of clinical services to a patient at the practice. Collected personal information will include patients’:

• names, addresses and contact details
• Medicare number (where available) (for identification and claiming purposes)
• healthcare identifiers
• medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors.

A patient’s personal information may be held at the Practice in various forms:

• as paper records
• as electronic records
• as visual – x-rays, CT scans, videos and photos
• as audio recordings.

The Practice’s procedure for collecting personal information is set out below.

1. Practice staff collect patients’ personal and demographic information via registration when patients present to the Practice for the first time. Patients are encouraged to pay attention to the collection statement attached to/within the form and information about the management of collected information and patient privacy.
2. During the course of providing medical services, the Practice’s healthcare practitioners will consequently collect further personal information.
3. Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary), or from any other involved healthcare specialists.

The Practice holds all personal information securely, whether in electronic format, in protected information systems or in hard copy format in a secured environment.

Use and disclosure of information

Personal information will only be used for the purpose of providing medical services and for claims and payments, unless otherwise consented to. Some disclosure may occur to third parties engaged by or for the Practice for business purposes, such as accreditation or for the provision of information technology. These third parties are required to comply with this policy. The Practice will inform the patient where there is a statutory requirement to disclose certain personal information (for example, some diseases require mandatory notification).

The Practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient. The Practice will not disclose personal information to anyone outside Australia without need and without patient consent.

Exceptions to disclose without patient consent are where the information is:

• required by law
• necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
• to assist in locating a missing person
• to establish, exercise or defend an equitable claim
• for the purpose of a confidential dispute resolution process.

The Practice will not use any personal information in relation to direct marketing to a patient without that patient’s express consent. Patients may opt-out of direct marketing at any time by notifying the Practice in a letter or email.

The Practice evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed.

Access, corrections and privacy concerns

The Practice acknowledges patients may request access to their medical records. Patients are encouraged to make this request in writing, and the Practice will respond within a reasonable time.

The Practice will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time, the Practice will ask patients to verify the personal information held by the Practice is correct and up to date. Patients may also request the Practice corrects or updates their information, and patients should make such requests in writing.

The Practice takes complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing. The Practice will then attempt to resolve it in accordance with its complaint resolution procedure.

 Our Practice ensures the confidentiality of patient files by

• Not exposing any information verbally at work, in front of other patients or over the phone.
• Or to anyone outside of the practice, family or friends.
• Electronically not leaving patient files open or appointment information available for unauthorised person to see, using screen savers when leaving the computer desk for any length of time
• Patients may access their own heath information by appointment and Doctor will advise what is appropriate at the time
• Management of personal health information is confidential and patients are informed of this on our New Patient Forms and as part of our new letter presentation
• Transfer of patient information is confidential and patients are given hard copies to referring doctors in an envelope with referring doctors details and if faxed a cover sheet is used which is compliant with privacy requirements
• Electronic information (i.e.) correspondence from other Doctors and Pathology providers sent and received by secure encrypted email
• Request for transfer of patient records on practice letter head requires both patient and Doctors signature request includes privacy disclosure statement. Usually faxed for speeder response, scanned onto patients file and then destroyed by shredding
• Information collected for quality improvement and professional development activities are only used when patients have given written consent prior to use of their clinical records
• Whenever any member of our practice team is conducting research we ensure that this research is approved by appropriate ethic committee
• All staff members have signed a confidentiality agreement at the start of their employment.

Correspondence

There are risks associated with electronic communication in that the information could be intercepted or read by someone other than the intended recipient. Email communications with other healthcare providers is undertaken securely through the use of encryption. Email communication with patients is discouraged; however, where initiated by the patient, the risks are communicated and patient consent is obtained.

Where patient information is sent by post, the use of secure postage or a courier service is determined on a case by case basis.

Incoming patient correspondence and diagnostic results are opened and viewed only by a designated practice team member.

Items for collection or postage are left in a secure area not in view of the public.

Facsimile

Facsimile, printers and other electronic communication devices in the practice are located in areas that are only accessible to the general practitioners and other authorised team members. Faxing is point to point and will, therefore, usually only be transmitted to one location.

All facsimiles containing confidential information are sent only after ensuring the facsimile number dialled is the designated receiver before pressing ‘Send’.

Details of confidential information sent by facsimile are recorded in a designated logbook which incorporates the date of transmission, patient name, description of the contents and the designated receiver (name and facsimile number).

A copy of the transmission report produced by the facsimile is kept as evidence that the facsimile was successfully transmitted, and as evidence the information was sent to the correct facsimile number.

Facsimiles received are managed according to incoming correspondence protocols.

The words ‘Confidential’ are to be recorded on the header of the facsimile coversheet and a facsimile disclaimer notice at the bottom of all outgoing facsimiles affiliated with the practice.

The Medical Information contained in this fax is intended for the addressed recipient only. It may contain patient or other privileged and or confidential information.

If you are not the intended recipient and this fax has been received by yourself in error, any use, and reliance upon disclosure to persons unintended or copying of this document is a contravention of the Privacy Act.

If this fax is not addressed to you please shred and telephone or notify the sender of this document/s as soon as possible.

We thank you for your discretion.

Patient consultations

Patient privacy and security of information is maximised during consultations by closing the consulting room doors. When the consulting, treatment room or administration office doors are closed, practice team members must ensure they knock and wait for a response prior to entering.

Where locks are present on individual rooms, these should not be engaged except when the room is not in use.

It is the general practitioner/healthcare team member’s responsibility to ensure that prescription paper, patient health records and related personal information is kept secure if they leave their room during a consultation or treatment, or whenever they are not in attendance in the consulting/treatment room.

Patient health records

The physical health records and related information created and maintained for the continuing management of each patient are the property of this practice. This information is deemed a personal health record and while the patient does not have ownership of the record, he/she has the right to access under the provisions of the Privacy Act 1988. Requests for access to a patient’s health record will be acted upon only if the request is received in written format.  

Both active and inactive patient health records are kept and stored securely.

A patient health record may be solely electronic, solely paper-based, or a combination (hybrid) of paper and electronic records.

Our practice is considered paperless and has systems in place to protect the privacy, security, quality and integrity of the personal health information held electronically. Appropriate staff members are trained in computer security policies and procedures.

Members of the practice team have different levels of access to personal patient health information as appropriate to their roles and to maintain security all computer hardware and software passwords are kept confidential and are not disclosed to others.

Our practice has systems in place to protect the privacy, security, quality and integrity of the personal health information held electronically. Appropriate staff members are trained in computer security policies and procedures.

Related resources

• RACGP APP Privacy Policy: Managing patient health information
• racgp.org.au/ehealth/privacy
• RACGP Computer and Information Security Standards (Second Edition)