Privacy Policy

Introduction

This is an extremely important code of ethical behaviour and must be maintained at all times by all staff. Blackwood Family Medical Centre is bound by the Federal Privacy Act 1998, The Australian Privacy Principles and the National Privacy Principles with the Health Records Act SA 1997. The legal requirements of confidentiality extends from the Practice Principal/s to all Clinicians and staff.


This policy outlines how this practice handles personal health information collected (including health information) and how we protect the security of this information. The collection statements inform patients about how their health information will be used, including other organisations to which the practice usually discloses patient health information and any law that requires the particular information to be collected. Patient consent to the handling and sharing of their information should be provided at an early stage if clinical care.

Personal Health Information

For each patient, we have an individual patient health record (electronic) containing all clinical information held by our practice relating to that patient. The Practice ensures the protection of all information contained therein. Our patient health records can be accessed by an appropriate team member when required. We also ensure information held about the patient in different records (e.g. at a residential aged care facility) is available when required.


'Personal Health Information' refers to a particular subset of personal information and can include any information collected to provide a health service. This information includes medical details, family information, name, address employment, and other demographic data, past medical and social history, current health issues and future medical care, Medicare number, account details, and any health information such as a medical or personal opinion about a person’s health, disability, or health status. It includes the formal medical record whether written or electronic and Information held or recorded on any other medium e.g. letter, fax, or electronically or information conveyed verbally.



Our practice informs our patients about our policies regarding the collection and management of their personal health information via:


  • a sign as reception/waiting area (USB on TV Display).
  • brochure/s in the waiting area.
  • patient information sheet.
  • new patient forms - consent to share information.
  • verbally, if appropriate.
  • practice website.

Privacy Officer

Our practice has a designated person, the practice manager, with the primary responsibility for the practice’s electronic systems, computer security and adherence to protocols as outlined in our Computer Information Security Policy. This responsibility is documented in the Position Description. Tasks may be delegated to others and this person works in consultation with the privacy officers.



The privacy officers act as liaison for all privacy issues, patient requests for access to their personal health information, and any staff members queries or concerns concerning Privacy laws (Commonwealth Privacy Act - Privacy Amendment (Privacy Sector) Act 2000 or Health Records Act SA 1997).


The Privacy officer is responsible for ensuring compliance with relevant Privacy principles and legislations, and for developing and maintaining our written protocols.

Protocol

Patients’ medical records are medico-legal documents and are not to be left where they could be viewed by others, especially on the reception desk.


Any paperwork left on the reception desk, which is still in process, MUST be placed face-down, to ensure the name and details are not visible to others.


Doctors do not leave any information on their desks which may be viewed by unauthorised parties.


All staff are required to lock their computers when leaving their desk, irrespective of how long they will be away.


Patient diagnoses, results and history should not be disclosed around other patients and are only to be discussed amongst those who are “need to know”.


Patient information is not to be disclosed to family members or any other party, unless the patient has authorised to do so and is documented into the patient’s medical record.


Under no circumstances are employees of this practice to discuss or in any way reveal patient conditions or documentation to unauthorised staff, other patients, family, or friends, whether within this practice or outside it, such as home or social occasions. This also includes patient accounts, referral letter or other clinical documentation.



All staff at Blackwood Family Medical Centre are aware of the Confidentiality and Privacy of Personal Health Information Policy and has signed a privacy agreement as a part of their terms and conditions of employment. This privacy statement continues to be binding on employees even after their employment has been terminated.

Patient Consent

We require patient consent to collect and use information about them. This will be done when the patient joins the surgery by completing and signing our new patient form and consent form. The patient can revise their consent at any time, by speaking with our Practice Manager or the patients treating doctor/nurse.



Employees of Blackwood Family Medical Centre will not discuss or in any way reveal patient conditions or documentation to unauthorised staff, colleagues, other patients, family, or friends, whether at this practice or outside it, such as in the home, or at social occasions or in social media. This includes patient accounts, referral letters or other clinical documentation.


General Practitioners and staff are aware of confidentiality requirements for all patient encounters and recognise that significant breaches of confidentiality may provide grounds for disciplinary action or dismissal.

Collection of Information

Our practice collects personal and health related information for the primary purpose of providing comprehensive, ongoing, holistic medical care to individuals and families in accordance with accepted, high quality general medical practice.


The minimum personal and health details we require to be able to provide the patient with safe medical care include:


  • Full name (as known by Medicare)
  • Date of Birth
  • Residential Address and Postal Address
  • Contact phone numbers
  • Accounts details
  • Current Medicare, DVA Number
  • Current Health Care Card/ Pension Card number where appropriate
  • Details of any allergies or suspected allergies
  • Current drugs or treatments used by the patient.
  • Any health information such as a medical/personal opinion about a person’s health, disability, or health status.
  • Previous and current medical history, including where clinically relevant a family medical history.
  • The name of any health service provider or medical specialist to whom the patient has been referred.
  • Copies of any letters of referrals and copies of any reports back
  • Formal medical record whether written or electronic and information held or recorded on any other medium e.g. letter, fax, or electronically or information conveyed verbally.

To assist us in providing the patient with the best possible care the patient will also be asked for information about:

  • Whether the patient identifies as Aboriginal or Torres Strait Islander.
  • Cultural information such as language spoken and country of origin.
  • Next of Kin and/or emergency contact.

Use and Disclosure of Information


Consent for:

  • Administrative purposes in running our medical practice.
  • Billing purposes, including compliance with Medicare and Health Insurance Commission requirements.
  • Disclosure to others involved in your healthcare including treating doctors and specialist outside of this medical practice. This may occur through referral to other doctors, or for medical tests and in the reports or results returned to us following referrals.
  • Disclosure to other doctors in the practice, locums etc. attached to the practice for the purpose of patient care and teaching.
  • For research and quality assurance activities to improve individual and community healthcare and practice management. Usually, information that does not identify you is used, but should information that will identify you be required, you will be informed and given the opportunity to “opt out” of any involvement.
  • To comply with any legislative or regulatory requirements e.g. notifiable diseases
  • For reminder letters, which may be sent to you regarding your health care and management.
  • For preventative health programs.

Who can access Patient Health Information:


  • All Doctors at this Practice
  • The Practice Nurse (only as required)
  • The Practice Manager (only as required)
  • Administration Staff – for general documentation and importing documents (restricted access, only as required)
  • Allied Health (limited access only as required during consultation)

Personal Health Information collected by us may be used or disclosed:


  • For the purpose patients were advised of at the time of collection of the information by us
  • As required for delivery of the health services to the patient
  • As required for the ordinary operation of our services (e.g. refer the patient to a medical specialist or other health service provider)
  • As required under compulsion of law
  • Where there is a serious and imminent threat to an individual’s life, health or safety, or a serious threat to public health or public safety.


Other than as described in this Policy or permitted under the National Privacy Act, Blackwood Family Medical Centre uses its reasonable endeavours to ensure that identifying health information is not disclosed to any person. Some of this information will be used for directly related reasons such as providing a referral to a specialist, hospital, or other health service.


We may also use information within the practice for our own quality assurance, to provide the patient with reminder letters, to inform the patient of health-related issues or programs which may be of interest, and for accounting purposes, including Medicare billing. Information may also be provided to maintain national health databases, particularly for childhood immunisations.

Access, Corrections and Privacy Concerns

Blackwood Family Medical Centre acknowledges that patients may request to access their medical records. Patients are encouraged to make this request in writing, and Blackwood Family Medical Centre will respond within a reasonable time.


Blackwood Family Medical Centre will take reasonable steps to correct personal information where they are not accurate or up to date. Blackwood Family Medical centre may also ask patients to verify the personal information held by the practice is up to date and correct. Patients may also request to have their personal information corrected or bought up to date by the practice, through a written request.


Blackwood Family Medical Centre takes complaints and concerns about the privacy of patients’ personal information seriously. Patients should express any privacy concerns in writing and Blackwood Family Medical Centre will then attempt to resolve it in accordance with its complaint resolution procedure.

Record Security

Our patient records are maintained in a secure, onsite computer system. The information recorded is protected by an individual password system and is accessible only to authorised personnel. Our practice has a designated person with primary responsibility for the practice’s electronic systems, computer security and adherence to protocols as outlined in our Computer Information Security Policy. This responsibility is documented in the Position Description. Tasks may be delegated to others and this person works in consultation with the Practice Manager.


Records will be retained or at least 7 years after the last encounter in the case of adults and for children, until they have attained the age of 25 years. Paper based information that is no longer required is destroyed by shredding.


All authorised practice doctors and staff have access to the patient’s information – if the patients consults different doctors they all have access to the record unless the patient specifically requests otherwise. At times, we write to our patients about health-related matters and reminders for follow up appointments. The patients name can be removed from such list if required.

Credit Card Protection


Blackwood Family Medical Centre, in partnership with our bank ensures increased protection that the Secure Code Service delivers. As we are a Business customer, we have nominated one Work landline phone number /one Mobile phone number to receive the Secure Code.

To keep our information secure, our bank safeguards our systems in the following ways:

  • Anti-virus protection stops threats before they reach our computer network.
  • Firewalls prevent unauthorised access to our network.
  • Secure transmissions maintain confidential information. Encryption technology such as Secure Socket Layer (SSL) is utilised when sending information between you and the bank. Security is achieved through:
  • Authentication to establish the validity of a transmission; this prevents another computer from impersonating the bank.
  • Encryption to scramble transmitted data over the Internet.
  • Data integrity to verify that information sent to us has not been altered during the transmission process.

Procedures


Doctors, allied health practitioners, all staff and contractors associated with this Practice have a responsibility to maintain the privacy of personal health information and related financial information. The privacy of this information is every patient’s right. The maintenance of privacy requires that any information regarding individual patients, including staff members who may be patients, may not be disclosed either verbally, in writing, in electronic form, by copying either at the Practice or outside it, during or outside work hours, except for strictly authorised use within the patient care context at the Practice or as legally directed.


All patient information must be considered private and confidential, even that which is seen or heard and therefore is not to be disclosed to family, friends, staff, or others without the patient’s approval. Sometimes details about a person’s medical history or other contextual information such as details of an appointment can identify them, even if no name is attached to that information. This is still considered health information and as such it must be protected under the Federal Privacy Act 1998.


Any information given to unauthorised personnel will result in disciplinary action and possible dismissal. Each staff member is bound by his/her privacy clause contained with the employment agreement which is signed upon commencement of employment at this Practice.


Personal health information should be kept where staff supervision is easily provided and kept out of view and access by the public e.g. not left exposed on the reception desk, in waiting room or other public areas; or left unattended in consulting or treatment rooms.


Practice computers and servers comply with the RACGP computer security checklist, and we have a sound back up system and a contingency plan to protect the practice from loss of data. (Refer to Computer information security Policy)


Care should be taken that the general public cannot see or access computer screens that display information about other individuals. To minimise this risk automated screen savers is engaged when members of the practice team have different levels of access to patient health information. (Refer to Computer Information Security Policy). To protect the security of health information, GPs and other practice staff do not give their computer passwords to others in the team.


Reception and other Practice staff should be aware that conversations in the main reception area can often be overheard in the waiting room and as such staff should avoid discussing confidential and sensitive patient information in this area. Sensitive documentation is discarded the practice uses an appropriate method of destruction (e.g. shredding) or computer drive, memory sticks etc are reformatted).

Audit

Periodically, or in the event of an incident or complaint relating to privacy matters, our Practice will conduct a review of privacy policies and procedures. At this time, the privacy officer will review the following items:


  • what is the primary purpose of this practice?
  • what data do we collect and document? NPP1 / HPP1
  • how do we store this information? NPP5
  • what data do we disclose and to whom? NPP2
  • when and how do we obtain patients consent? NPP2/HPP2

 


The privacy officer will:


  • ensure information is collected from hard copy and electronic storage devices
  • ensure issues are discussed with GP's and staff to gain the most current information
  • update and act upon any National and State Privacy Laws
  • update policy manual, patient access forms, patient brochures and posters
  • update forms related to "Patient Access to Health Information", including "Request for Access" forms
  • update patient privacy message on display TV in waiting area
Share by: