6.1 Privacy and Security of Personal Health Information
This practice is bound by the Federal Privacy Act (1988) and National Privacy Principles, and also complies with the Victorian Health Records Act (2001).
‘Personal health information’ a particular subset of personal information and can include any information collected to provide a health service.
This information includes medical details, family information, name, address, employment and other demographic data, past medical and social history, current health issues and future medical care, Medicare number, accounts details and any health information such as a medical or personal opinion about a person’s health, disability or health status.
It includes the formal medical record whether written or electronic and information held or recorded on any other medium e.g. letter, fax, or electronically or information conveyed verbally.
Our practice has a designated Jose and Associates along with the Practice Manager with primary responsibility for the practice’s electronic systems, computer security and adherence to protocols as outlined in our Computer Information Security policy (Refer Section 6). This responsibility is documented in the Position Description. Tasks may be delegated to others and this person works in consultation with the privacy officer.
Our Security policies and procedures regarding the confidentiality of patient health records and information are documented and our practice team are informed about these at induction and when updates or changes occur.
The practice team can describe how we correctly identify our patients using 3 patient identifiers, name, and date of birth, address or gender to ascertain we have the correct patient record before entering or actioning anything from that record.
For each patient we have an individual patient health record (paper, electronic or a combination of both, “Hybrid”) containing all clinical information held by our practice relating to that patient. The Practice ensures the protection of all information contained therein. Our patient health records can be accessed by an appropriate team member when required. We also ensure information held about the patient in different records (eg at a residential aged care facility) is available when required.
National Privacy Principle 5 requires our practice to have a document that clearly sets out its policies on handling personal information, including health information.
The collection statement informs patients about how their health information will be used including other organisations to which the practice usually discloses patient health information and any law that requires the particular information to be collected. Patient consent to the handling and sharing of patient health information should be provided at an early stage in the process of clinical care and patients should be made aware of the collection statement when giving consent to share health information.
In general, quality improvement or clinical audit activities for the purpose of seeking to improve the delivery of a particular treatment or service would be considered a directly related secondary purpose for information use or disclosure so we do not need to seek specific consent for this use of patients’ health information, however we include information about quality improvement activities and clinical audits in the practice policy on managing health information
We inform our patients about our practice’s policies regarding the collection and management of their personal health information via:
• A sign at reception
• Brochure/s in the waiting area
• Our patient information sheet
• New patient forms- “Consent to share information ”
• Verbally if appropriate
• The practice website