Privacy Policy

 

Management of Health Information & Privacy

1. Purpose and scope

This policy outlines how the practice manages personal health information in accordance with legislative, professional, and accreditation requirements.

The policy applies to:

• All general practitioners
• Practice nurses
• Administrative staff
• Registrars and students
• Contractors and service providers

This policy covers information in all formats, including:

• Electronic medical records
• Paper records
• Correspondence
• Pathology and radiology results
• Medicare and billing data
• My Health Record (where applicable)

 

2. Legislative and professional framework

This policy is consistent with:

• The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• Relevant Western Australian privacy and health records legislation
• RACGP guidance on managing health information in general practice
• AGPAL accreditation standards

3. Definitions

Personal health information includes any information relating to an individual’s physical or mental health, medical history, diagnosis, treatment, or care that identifies or could reasonably identify the individual.

4. Ownership of medical records

• Medical records are the legal property of the practice.
• Patients do not own the physical or electronic record.
• Patients have a legal right to access their personal health information, subject to limited exceptions permitted by law.

5. Privacy during consultations

• Consultations are conducted in a manner that ensures visual and auditory privacy.
• Staff will not enter a consultation room without knocking or prior communication with the GP.
• Registrars, students, or other staff will only be present during consultations with the explicit consent of the patient.
• Patients may withdraw consent at any time.

 

 

 

6. Informing patients about privacy

• New patients are provided with information explaining:
  • How their health information is collected, used, and disclosed
  • Their rights to access and correct information
  • The practice’s approach to privacy and confidentiality
• Privacy information is available:
  • At reception
  • In waiting areas
  • On request
• Patients are informed that their records may be accessed for care purposes by:
  • Other GPs in the practice
  • GP locums
  • Practice nurses
  • GP registrars under supervision
• Consent for the collection and use of particularly sensitive information is documented in the clinical record.

7. Collection and use of health information

Health information is collected:

• Directly from patients wherever possible
• For the primary purpose of providing safe, effective health care
• For related secondary purposes such as:
  • Follow-up and recall systems
  • Practice accreditation
  • Quality improvement and professional development
  • Legal and billing obligations

Only information necessary for these purposes is collected.

8. Patient access to health information

• Patients have the right to request access to their personal health information.
• Access may include:
  • Viewing the record
  • Receiving a copy of the record
  • Receiving a health summary
• Requests are considered by the treating GP, who will assess:
  • Legal requirements
  • Any risk of serious harm to the patient or another person
• Access will be provided within 30 days of receiving a valid request.
• Reasonable administrative fees may apply for copying or transferring records.
• Where access is refused or limited, reasons will be documented and explained to the patient.

9. Correction of health information

• Patients may request correction of inaccurate or incomplete information.
• Administrative details (e.g. address, phone number) will be updated promptly.
• Clinical entries will not be deleted or altered.
• Where a correction is disputed, the GP will:
  • Annotate the record
  • Document the patient’s request
  • Record whether the GP agrees or disagrees with the amendment

10. Disclosure of health information

Personal health information is disclosed only:

• With patient consent
• Where required or authorised by law
• Where necessary to prevent a serious and imminent threat to life, health, or safety

Disclosures are limited to the minimum information necessary.

Examples include:

• Referrals to specialists or hospitals
• Communication with other treating health professionals
• Medicare, private health insurers, and government agencies
• Medical defence organisations or insurers
• Court orders or subpoenas

Patients are entitled to view referral letters and correspondence contained in their record.

11. Children and young people

• A minor may consent to the use and disclosure of their health information where the GP assesses that the patient has sufficient maturity and understanding.
• In such cases, parental access may be limited in accordance with law and clinical judgement.
• Decisions are documented in the medical record.

12. Research, quality improvement and education

• The practice undertakes quality improvement, professional development, and research activities.
• Patients are informed of these activities and may opt out.
• Identifiable data is removed wherever possible.
• Where identifiable data is required:
  • Consent is obtained
  • Confidentiality obligations apply
• External researchers must have ethics approval and written confidentiality agreements.

 

 

13. Confidentiality agreements

• All staff, contractors, students, and temporary personnel are required to sign confidentiality agreements.
• Breaches of confidentiality may result in disciplinary action, including termination of employment.

14. Transfer of medical records

• Records are transferred only with written patient consent.
• The practice may provide:
  • A health summary
  • A copy of records
  • Relevant extracts
• Original records are retained by the practice.
• Secure electronic transfer methods are used wherever possible.

15. Security of health information

The practice implements physical, administrative, and technical safeguards, including:

• Password-protected clinical systems
• Role-based access controls
• Screen positioning to prevent unauthorised viewing
• Secure storage of paper records
• Encryption of electronic data where appropriate
• Secure messaging for clinical correspondence
• Daily data backups with secure off-site or encrypted cloud storage
• Regular testing of backup systems

Records are not removed from the practice unless required for patient care and are secured at all times.

 

16. X-rays and diagnostic imaging

• X-rays are usually provided to patients for safekeeping.
• The practice retains reports and results within the clinical record.
• Interpretation of imaging is the responsibility of the treating doctor.
• Practice staff do not provide clinical interpretation.
• Results are discussed during a consultation unless the doctor has documented otherwise.

17. Retention of medical records

• Adult records are retained for a minimum of 7 years from the date of last contact.
• Records for children are retained until the patient reaches 25 years of age, or 7 years from last contact, whichever is longer.
• Records are not destroyed without authorisation from the treating or authorised GP.

If the practice closes or a GP leaves:

• Patients are informed of arrangements for transfer or storage of records.
• Untransferred records are stored securely under nominated medical supervision.

18. Complaints about privacy

• Privacy complaints are managed in accordance with the practice’s complaints policy.
• Patients may escalate concerns to the Office of the Australian Information Commissioner (OAIC) if unresolved.

19. Staff training

• All staff receive privacy and confidentiality training during induction.
• Ongoing training ensures awareness of legislative changes and best practice.
• Compliance with this policy is monitored as part of quality improvement and accreditation activities.