Date of policy: 11/10/2017
Name of practice: BARRACKS MEDICAL
To ensure patients who receive care from the Practice are comfortable in entrusting their health information to the Practice. This policy provides information to patients as to how their personal information (which includes their health information) is collected and used within the Practice, and the circumstances in which we may disclose it to third parties. Related standards: RACGP Compliance indicators for the Australian Privacy Principles: an addendum to the computer and information security standards (Second edition).
Background and rationale:
The APP provide a privacy protection framework that supports the rights and obligations of collecting, holding, using, accessing and correcting personal information. The APP consist of 13 principle-based laws and apply equally to paper-based and digital environments. The APP complement the long-standing general practice obligation to manage personal information in a regulated, open and transparent manner. This policy will guide Practice staff in meeting these legal obligations. It also details to patients how the Practice uses their personal information. The policy must be made available to patients upon request.
The Practice will:
• provide a copy of this policy upon request
• ensure staff comply with the APP and deal appropriately with inquiries or concerns
• take such steps as are reasonable in the circumstances to implement practices, procedures and
systems to ensure compliance with the APP and deal with inquiries or complaints
• collect personal information for the primary purpose of managing a patient’s healthcare and for
financial claims and payments.
The Practice’s staff will take reasonable steps to ensure patients understand:
• what information has been and is being collected
• why the information is being collected, and whether this is due to a legal requirement
• how the information will be used or disclosed
• why and when their consent is necessary
• the Practice’s procedures for access and correction of information, and responding to
complaints of information breaches, including by providing this policy.
Collection of information:
The Practice will need to collect personal information as a provision of clinical services to a patient
at the practice. Collected personal information will include patients’:
• names, addresses and contact details
• Medicare number (where available) (for identification and claiming purposes)
• healthcare identifiers
• medical information including medical history, medications, allergies, adverse events,
immunisations, social history, family history and risk factors.
A patient’s personal information may be held at the Practice in various forms:
• as paper records
• as electronic records
• as visual – x-rays, CT scans, videos and photos
• as audio recordings.
The Practice’s procedure for collecting personal information is set out below.
1. Practice staff collect patients’ personal and demographic information via registration when patients present to the Practice for the first time. Patients are encouraged to pay attention to the collection statement attached to/within the form and information about the management of collected information and patient privacy. The collection statement is below:
“In accordance with the Privacy Act (1998), all information collected in this practice is treated as “sensitive information”. To protect your privacy, this practice operates in accordance with the Act. We use the information you provide to manage your health care. In order for us to assist you, we must have all current contact info. It is the responsibility of the patient to maintain the accuracy of the information by advising the practice of changes of address, phone number, etc. Selected information may be disclosed to various other health services involved in supporting your health care management (e.g. pathology , radiology, hospital, or specialists).
If you have any questions regarding the management of your personal health information or need to arrange to access your records, please ask the staff or your doctor, as appropriate. “
2. During the course of providing medical services, the Practice’s healthcare practitioners will consequently collect further personal information.
3. Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary), or from any other involved healthcare specialists.
The Practice holds all personal information securely, whether in electronic format, in protected information systems or in hard copy format in a secured environment.
Use and disclosure of information
Personal information will only be used for the purpose of providing medical services and for claims and payments, unless otherwise consented to. Some disclosure may occur to third parties engaged by or for the Practice for business purposes, such as accreditation or for the provision of information technology. These third parties are required to comply with this policy.
The Practice will inform the patient where there is a statutory requirement to disclose certain personal information (for example, some diseases require mandatory notification). The Practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient. The Practice will not disclose personal information to anyone outside Australia without need and without patient consent.
Exceptions to disclose without patient consent are where the information is:
• required by law
• necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health
or safety, or it is impractical to obtain the patient’s consent
• to assist in locating a missing person
• to establish, exercise or defend an equitable claim
• for the purpose of a confidential dispute resolution process.
Access, corrections and privacy concerns
The Practice acknowledges patients may request access to their medical records. Patients are encouraged to make this request in writing, and the Practice will respond within a reasonable time.
In accordance with the Australian Privacy Principles, our procedures allow for the consideration of any results to assess whether disclosure of those results to patients might pose a serious threat of harm to the patient.
This decision is most appropriately made by the treating doctor or a doctor and our receptionists are not in a position to make that assessment.
In light of this, the following procedures exist for responding to patient requests for results:
• If a patient requests a copy of their pathology results, that are marked as ‘no action’, reception staff are to send an email to the treating doctor, notifying the doctor regarding the request by the patient to release the result. The doctor would then need to approve the release of the results to the patient before they are released by reception staff.
• If a patient requests a copy of their pathology results that are marked for “urgent” or “non-urgent recall”, reception staff are to advise the patient that the request will need to be put through to the patient’s treating doctor and that doctor’s approval will need to be required before the results are released to the patient. If the patient advises they have discussed these results with another doctor, reception staff are to email the requesting doctor. Our receptionist always has to obtain approval from the treating doctor to release results to a patient.
• In some circumstances, the treating doctor may decide that the results might be distressing for the patient, and the doctor would prefer to give those results in person. In this situation, the patient is directed to submit a formal request, which enables the practice to verify the patient’s identity via their license or passport. A copy of the request form, ‘Request for Personal Health Information’ is attached.
• If a patient requests a copy of their pathology results to be given to their specialist, or another doctor outside of our clinic, and there is a current recall in place, reception staff are to email the requesting doctor (if this doctor is not available, the request is put through to another doctor in the clinic at the time) asking for permission to send these to the doctor requested.
The Practice will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time, the Practice will ask patients to verify the personal information held by the Practice is correct and up to date. Patients may also request the Practice corrects or updates their information, and patients should make such requests in writing.
The Practice takes complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing. The Practice will then attempt to resolve it in accordance with its complaint resolution procedure.
Compliance indicators for the Australian Privacy Principles: An addendum to the computer
and information security standards (Second edition)
RACGP Computer and information security standards (CISS) and templates (2013)
The RACGP Privacy handbook & patient pamphlet