COVID-19 Government indemnity scheme and vaccines information

Top 10 privacy tips

Oct 28, 2014

 By following some simple steps to protect privacy, a range of unfortunate events and complaints can be avoided. Some examples are set out below to help minimise the risk of a privacy breach. 

1. Develop a Privacy Policy
  • Healthcare practices must have a Privacy Policy that covers specified information in Australian Privacy Principle 1 (APP 1: open and transparent management of personal information) View our Privacy Template.
  • The practice must take reasonable steps to make its privacy policy available free of charge – eg. on its website or in the waiting area.
  • Keep the privacy policy updated. Procedures should be put in place to ensure that the policy is followed by all of the practice’s staff.
2. Access to medical records

Only release information within the scope of any current request or authority.

  • Patients: access must be provided when requested by a patient unless an exception in the privacy legislation applies. This includes access to specialists’ letters and reports. The practice has to explain in writing why access has been refused and how patients can complain about this decision. You can ask patients to put their request in writing. Inform them how long the request may take, if there is a charge payable and alert them if the charge is likely to be significant.
  • Insurers: patients can authorise third parties to have access to their records. The authority should be signed and dated by the patient (within the previous six months), and specify what is authorised to be released. Check with the patient if there is any doubt about the scope of the authority – particularly if it involves the disclosure of sensitive information (eg. sexual/mental health issues). Do they still want to authorise the release of information? They may need to obtain advice about the authority if the insurer still insists on seeing the records.
  • Separated parents: parents have equal shared responsibility for their children and therefore an entitlement to request access to their medical records, unless a court orders that only one parent has custody of the children. Check if any court orders are in place. If not, it is acceptable to provide the records to one parent without telling the other. In an acrimonious separation, it may be necessary to agree with both parents about how medical records are to be accessed and disclosed.
  • Police: in general, the police should have authority from the patient or a warrant to obtain health information. There are some circumstances where it is permissible to disclose information to the police without a patient’s consent (APP6: investigation of a crime, location of a missing person), but if you are in doubt, check with Avant.
3. Do not provide information to patients’ employers without the patients’ consent

Example: Dr Johns provides Max with a medical certificate for time off work. Max’s employer rings Dr Johns and wants to know what is wrong with Max, challenging the certificate.

You may confirm the date that was written on the original certificate (if there is a suggestion of fraudulent tampering with the certificate by the employee), but no further information should be disclosed without the patient’s consent.

4. Keep patient contact details up to date

Example: A patient cannot be located for follow up as her contact details have changed.
Ensure you obtain the patients’ consent for contacting them via telephone (check number), SMS or email. Check patient details are correct each time they attend the practice.

Example: The practice calls Sally and leaves a message on her home phone asking her to call the practice for some test results. Sally complains to the practice, as due to the message her mother wants to know why she has had blood tests.

  • The new patient registration form should specify how the patient wishes to be contacted
  • Do not include confidential health information in an SMS. For example, do not specify what the appointment is for.
  • Sending an SMS without consent may be a breach of the Spam Act 2003 (Cth).
5. Obtain patient consent for clinical photographs
  • Ensure mobile devices used to take photographs are password protected and securely stored. Download clinical photographs from mobile devices into the patient’s medical records as soon as possible and delete the photographs from the device.
  • Do not use identifiable clinical photographs for education or marketing purposes without patient consent.
6. Conversations in public areas: be mindful

Be careful about conversations in public areas and only access medical records when there is a legitimate clinical or business need.

Example: The receptionist was overheard discussing the medical history of a neighbour who complained that the receptionist had no need or right to access her medical records.

  • It is reasonable to share information in a shared practice, but medical records should only be accessed for the purpose of providing care and treatment to the patient or for running the business.
  • External contractors (eg. IT technicians) should be required to sign confidentiality agreements.
7. Implement automatic computer log off

Example: Whilst Dr Smith is out of his room his computer is accessed and prescriptions for pethidine are created using his name and prescriber number as the computer had not been logged off.

  • The computer should be programmed to log off automatically when it has not been accessed for a short time.
  • Close computer programs containing patient information when they are not in use or when patients enter the room to avoid an inadvertent disclosure of patient information.
8. Change computer passwords

Example: A standard password was given to all staff when the new computer system was installed. It has never been changed.

  • Passwords shouldn’t be shared. They should be changed on a regular basis, include letters and numbers, and not be written down near the computers.
9. Implement a safe back up system and store and dispose of paper-based records securely
  • The practice must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification, disclosure and interference (APP 11).
  • Anti-virus and anti-malware software should be installed on all of the computers.
  • Back up data in a secure offsite location.
  • Once the retention period for holding medical records expires, the records must be disposed of in a secure way that preserves confidentiality. If there is a possibility of a claim or complaint by a patient, the records should be retained.
  • Garbage bins in communal areas of a shared practice are not appropriate for patient identifiable waste. Consider using a shredder or secure waste disposal systems.
  • The same requirement applies to the disposal of hardware – computers, lap tops, USB sticks - these may need to be physically destroyed to delete confidential information permanently.
10. Be responsive to complaints
  • Appoint a dedicated team or staff member to manage complaints, with a clear complaints resolution system.
  • Take all complaints seriously and investigate them. Most complaints can be resolved quickly and easily by responding promptly. Try to resolve the complaint at the local level so it doesn’t escalate to the regulator.
  • If you’ve done the wrong thing, apologise and also tell the patient what you are doing to investigate the complaint. Keep them updated if the investigation is going to take time. Contact Avant if you need advice on how to manage the complaint.
  • Some members are unsure how far they can or should go in apologising to patients – guidance can be found in Avant’s position statement on ‘open disclosure’.
  • Communicate with the patient to let them know the outcome once you have finalised your investigation, and what you’ve done to improve your processes if this is relevant.
  • Some patients will still not be happy. Recognise the point or ‘line in the sand’ where the organisation has done as much as it can to try and resolve an issue, and may have to end the internal resolution process. The patient should be informed that he or she may contact the Privacy Commissioner if they are not happy with the outcome of the investigation.

Learn more

For more information on the privacy laws view: Avant’s Webinar: Changes to privacy laws $1.7 million reasons to be up-to-date.

View the Office of the Australian Information Commissioner (OIAC) Guide to information security – April 2013 and the Royal Australian College of General Practitioners (RACGP) Computer and Information Security Standards.

Share your view

We welcome your feedback on this article – email the Editor at: editor@avant.org.au