Privacy Policy

 MEDICAL RECORDS:

• Medical records remain the property of the practice. They do not belong to the patient although patients may have access to their records (see below privacy policy).
• Medical records are confidential and are not to be discussed with any third party unless specific permission has been given. The one exception would be information given in an emergency situation to other practitioner to assist in management of an acute problem.
• Patients who no longer attend the practice can have a summary provided to another doctor or surgery upon written request.
• Records must be kept for at least seven (7) years for adults and up to twenty-five (25) years for children from the date that the patient was last provided with medical treatment or services by the doctor.

 

X-RAYS:

• X-rays are usually given to patients for safe keeping. The practice retains a copy of the report in our Medical Software.
• Results and interpretation of x-ray investigations are the province of the doctor.
• Practice staff are unqualified to provide feedback on x-rays and should not do so for medico-legal reasons.
• Patients should be advised they may discuss the results with the doctor during a consultation. It is not policy to convey results over the phone. The only exception would be if the doctor has indicated there is no need to see the patient.

 

PRACTICE POLICY FOR THE MANAGEMENT OF HEALTH INFORMATION

 

Nature and scope of this practice policy

This policy primarily addresses the management of ‘personal health information’ in the practice.

 

The policy covers the following areas:

1. Privacy
2. Informing new patients
3. Patient access to their personal health information
4. Alteration of patient records
5. Access to personal health information by practice staff for the purposes of research, professional development and quality assurance/improvement
6. Confidentiality agreements
7. Disclosure to third parties
8. Requests for personal health information and medical records by other medical practices
9. Security
10. Complaints about privacy related matters
11. Retention of medical records
12. Staff training

 

 

This policy:

• is based on The Handbook for the Management of Health Information in Private Medical Practice published in November 2002;
• is consistent with the National Privacy Principles for the Fair Handling of Personal Information in the Federal Privacy Act 1988 as amended; and
• takes into account legislation pertaining to privacy in WA.

 

While the policy focuses on the management of the patient’s health record, it also relates to other recorded information, for example Medicare data, billing and accounting records, pathology and radiology results, medical certificates and letters to and from hospitals and other doctors.

 

 

 

1.     Privacy

Personal health information is defined as information concerning a patient’s health, medical history, or past or present medical care; and which is in a form that enables or could enable the patient to be identified. It includes information about an individual’s express wishes concerning current and future health services.

All GPs and practice staff will ensure that patients can discuss issues relating to their health, and that the GP can record relevant personal health information, in a setting that provides visual privacy and protects against any conversation being overheard by a third party.

Staff will not enter a consultation room during a consultation without knocking or otherwise communicating with the GP.

Staff, registrars and students will not be present during the consultation without the prior permission of the patient.

 

2.     Informing new patients

New patients will be offered the practice’s leaflet about personal information, privacy and their GP, and will be offered access to the practice information policy.

This practice tries to make sure that the information on privacy available to patients is appropriate for the range of people who come here.  Feedback about the information is welcome.

Practice staff will ensure that current leaflets about the practice’s approach to personal privacy are available in waiting rooms, consulting rooms, and at practice reception.

Information provided to patients, both by GPs and staff verbally, and in writing through practice leaflets will advise that, for the purpose of patient care and teaching, this practice normally allows access to patient records by:

• other GPs in the practice
• GP locums, and
• general practice registrars attached to the practice for training.

GPs will make a contemporaneous note in the patient’s record outlining the patient’s consent to the collection and use of information that is particularly sensitive.

The practice staff, including its GPs will endeavour to ensure that continuing patients of the practice are informed about the impact of changes to privacy legislation, by bringing relevant materials to the attention of continuing patients.

 

3.     Patient access to their personal health information

Under privacy legislation provisions all patients have the right to access their health information stored at the practice. The treating GP will provide an up to date and accurate summary of their health information only on request to the GP at a consultation.

The treating GP will consider all requests made by a patient for access to their medical record. In doing so the GP will need to consider the risk of any physical or mental harm resulting from the disclosure of health information.

If the GP is satisfied that the patient may safely obtain the record then he/she will either show the patient the record, or arrange for provision of a photocopy, and explain the contents to the patient.

Any information that is provided by others (such as information provided by a referring medical practitioner or another medical specialist) is part of the health record and can be accessed by the patient.

Appropriate administration costs may be charged to the patient.

This practice will respond to a patient’s request for access within 7 days of receiving payment of the fee for access, or within 45 days of the request, whichever is the later.

 

4.     Alteration of patient records

This practice will alter personal health information at the request of the patient when the request for alteration is straightforward (e.g. amending an address or telephone number). Alternatively, the patient can fill in a new patient details form to allow for changes to their records.

With most requests to alter or correct information, the General Practitioner will annotate the patient’s record to indicate the nature of the request and whether the GP agrees with it. For legal reasons, the doctor will not alter or erase the original entry.

 

5.     Access to personal health information by practice staff for the purposes of research, professional development and quality assurance/improvement.

New patients will also be informed that the practice undertakes research, professional development, and quality assurance/improvement (QA) activities from time to time, to improve individual and community health care and practice management.

Patients will be advised of the ways in which the practice undertakes ‘recall’ and ‘follow-up’ activities, e.g. when the practice would write to a patient or phone them.

Patients will be informed when quality improvement, professional development and research activities are being conducted and given the opportunity to ‘opt out’ of any involvement in these activities. The GP responsible for the activity will ensure that appropriate information is available to patients from the reception staff.

When research projects are conducted in the practice under the approval of an institutional ethics committee, staff will be made aware of the requirements to obtain consent specified in the research protocol and ensure that consent is properly obtained.

Where possible identifying information will be removed from personal health information being used for research and QA activities. Where this is not possible, internal staff accessing personal health information are aware that they are under an obligation of confidentiality not to disclose the information. Breaches of that obligation may result in instant dismissal. The GP from the practice who is responsible will ensure that any external researchers are also under an explicit written obligation of confidentiality with appropriate penalties for disclosure.

 

6.     Confidentiality agreements

In order to protect personal privacy, this practice has staff, including temporary or casual staff; sub-contractors (e.g. software providers etc) and medical students sign a confidentiality agreement.

 

7.     Disclosure to third parties

GPs and staff will ensure that personal health information is disclosed to third parties only where consent of the patient has been obtained. Exceptions to this rule occur when the disclosure is necessary to manage a serious and imminent threat to the patient’s health or welfare, or is required by law.

The GP will refer to relevant legislation  and the maturity of the patient before deciding whether the patient (in this case a minor) can make decisions about the use and disclosure of information independently (ie without the consent of a parent or guardian). For example, for the patient to consent to treatment, the GP must be satisfied that the patient (a minor) is aware and able to understand the nature, consequences and risks of the proposed treatment.  This patient is then also able to make decisions on the use and disclosure of his or her health information.

 

GPs will explain the nature of any information about the patient to be provided to other people, for example, in letters of referral to hospitals or specialists. The patient consents to the provision of this information by agreeing to take the letter to the hospital or specialist, or by agreeing for the practice to send it.

NOTE: Increasingly there is an expectation by patients that they will see and be advised of the contents of referral letters. They are able to access such letters in their records.

GPs and staff will disclose to third parties only that information which is required to fulfil the needs of the patient.

These principles apply to the personal information provided to a treating team (for example, a physiotherapist or consultant physician also involved in a person’s care). The principles also apply where the information is transferred by other means, for example, via an intranet.

Information classified by a patient as restricted will not be disclosed to third parties without the explicit consent of the patient. GPs will make a contemporaneous note when such permission is given.

Information disclosed to Medicare or other health insurers will be limited to the minimum required to obtain insurance rebates.

Should an outstanding debt be referred to a collection agency, this practice will provide only the contact details of the debtor and the amount of the debt. No other personal information will be provided.

Information supplied in response to a court order will be limited to the matter under consideration by the court.

From time to time General Practitioners will provide their medical defence organisation or insurer with information, in order to meet their insurance obligations.

This practice participates in practice accreditation, which assists it improve the quality of its services. Practice accreditation may involve the ‘surveyors’ who visit the practice reviewing patient records to ensure that appropriate standards are being met. This practice will advise patients when practice accreditation is occurring by placing a notice in the foyer prior to the survey visit occurring. Patient will be given the opportunity of refusing accreditation surveyors access to their (the patient’s) health information.

 

8.     Requests for personal health information and medical records by other medical practices

Access to accurate and up to date information about the patient by a new treating GP is integral to the GP providing high quality health care.

This practice engages an after-hours service to provide care, and will allow this service to have access to a patient’s personal health information in order to assist the after-hours service provide high quality care.

If a patient transfers away from the practice to another GP, and the patient requests that the medical record be transferred, the existing GP will provide the record, a summary, or a photocopy to the new treating GP or to the patient. This practice will retain original documents and records.

This practice will seek written permission from the patient for the provision of personal health information to another medical practice.

 

9.     Security

Medical practitioners, practice staff and contractors will protect personal health information against unauthorised access, modification or disclosure and misuse and loss while it is being stored or actively used for continued management of the patient’s health care.

Staff will ensure that patients, visitors and other health care providers to the practice do not have unauthorised access to the medical record storage area or computers.

Staff will ensure that records, pathology test results, and any other papers or electronic devices containing personal health information are not left where they may be accessed by unauthorised persons.

Non clinical staff will limit their access to personal health information to the minimum necessary for the performance of their duties.

Fax, e-mail and telephone messages will be treated with security equal to that applying to medical records.

Computer screens will be positioned to prevent unauthorised viewing of personal health information. Through the use of, for example, password-protected screen-savers, staff will ensure that computers left unattended cannot be accessed by unauthorised persons.

Medical practitioners and staff will ensure that personal health information held in the practice is secured against loss or alteration of data. This includes adherence to national encryption protocols.

Patient records will not be removed from the practice, except when required by clinical staff for patient care purposes. Records will be kept securely while away from the practice and the responsible clinician will ensure that records are returned to the practice and left in an appropriate place for filing.

Manual medical records and other papers containing personal health information will be filed promptly after each patient contact.

Staff will ensure that manual and electronic records, computers, other electronic devices and filing areas are secured at the end of each day and that the building is locked when leaving.

The data on the computer system will be backed up daily and a duplicate backup tape/cartridge given to the nominated staff member for storage off site. Backups should be routinely tested to ensure daily duplication processes are valid and retrievable.

 

10.  Complaints about privacy-related matters

Complaints about privacy-related matters will be addressed in the same way as other complaints. This procedure is outlined elsewhere in this practice’s procedures manual.

 

11.  Retention of medical records

It is the policy of the practice that individual patient medical records be retained until the patient has reached the age of 25 or for a minimum of 7 years from the time of last contact, whichever is the longer. No record will be destroyed at any time without the permission of the treating GP or of the authorised GP in the practice.

In the event of a GP dying or transferring out of the practice, the practice will post a notice in the practice waiting room, or a GP who is leaving the practice may write individually to each patient, asking them to nominate a practitioner to whom the record should be transferred.

If the practice closes, patients will be contacted individually or, if this is not practical, a public notice will be placed in the local newspaper indicating how patients may arrange for their record to be transferred to another GP.

In the event of the practice closing, it has been arranged that any medical records not transferred will be stored securely under the supervision of (Dr Sam Takla- Principal Doctor).

 

12.  Staff training

Practice training and induction procedures for medical practitioners and staff should ensure that medical practitioners and staff demonstrate understanding of this policy.

Ongoing education and training processes in the practice will ensure that skills and competence in the implementation of the privacy policy and related issues are maintained and updated.