Brunswick Medical Group is committed to best practice in relation to the management of information we collect.
It explains how you may access that information and how you may seek the correction of any information.
It also explains how you may make a complaint about a breach of privacy legislation.
If we need to use your information for anything else, we will seek additional consent from you to do this.
All our employees and contractors observe the obligations of confidentiality in the course of their employment/contract with us. All employees sign a confidentiality agreement on commencement at the practice.
SECURITY OF INFORMATION COLLECTED:
Due to the sensitive nature of the information collected by Brunswick Medical Group to provide its services, extra precautions are taken to ensure the security of that information. Information is stored electronically and all files are password protected and backup of records are done daily and stored offsite.
This practice has developed a policy to protect patient privacy in compliance with privacy legislation.
THIS POLICY EXPLAINS:
1.how we collect, store, use and disclose your personal information
2.how you may access your personal information
3.how we protect the quality and security of your personal information
4.how you may seek correction of any personal information we hold
5.how we will respond if we suspect that there has been a breach of our electronic data security
6.how you may make a complaint about our handling of your personal information
In addition to our professional and ethical obligations, at a minimum, our Practice handles your personal information in accordance with federal and state privacy law. This includes complying with the federal Australian Privacy Principles (APPs) forming part of the Privacy Act 1998 (Cth) and the Victorian Health Privacy Principles (HPPs) forming part of the Health Records Act 2001 (Vic). the Notifiable Data Breaches Scheme 2018, and relevant Victorian Privacy Legislation.
More information about the APPs and HPPs can be found on the Australian Information Commissioner’s website www.oaic.gov.au or in hard copy on request from our Practice reception
COLLECTION OF INFORMATION
Our main purpose for collecting, using, holding and sharing your personal information is to manage your health and so that we may properly assess, diagnose, treat and be proactive in your health care needs.
We also use it for directly related business activities, such as financial claims and payments, practice audits, practice quality improvements and accreditation.
We will treat your personal information as strictly private and confidential. We will only use or disclose it for purposes directly related to your care and treatment, or in ways that you would reasonably expect that we may use it for your ongoing care and treatment.
When you make your first appointment, our practice staff will collect your personal and demographic information via your registration. You provide consent for our doctors, nurses and practice staff to access and use your personal information so they can provide you with the best possible healthcare.
The type of personal information we collect may include:
1.personal details (name, address, date of birth, Medicare number)
2.your medical history
3.notes made during the course of a medical consultation
4.referral to other health services providers
5.results and reports received from other health service providers
6.credit card or direct debit information for billing purposes
Wherever practicable we will collect this information from you personally – either at the Practice, over the phone or via written correspondence. In some instances we may need to collect information about you from other sources such as referring doctors, treating specialists, pathology, radiology, hospitals or other health care providers. In an emergency, we may collect information from your immediate family, friends or carers.
DEALING WITH US ANONYMOUSLY
You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorized by law to only deal with identified individuals.
USE AND DISCLOSURE
Your personal information will only be used or disclosed for purposes directly related to providing you with quality health care, or in ways you would reasonably expect us to use it in order to provide you with this service.
This includes use or disclosure:
- to the professional team directly involved in you health care, including treating doctors, pathology services, radiology services and other specialists outside this medical practice. For example, this may occur through referral to other doctors when requesting medical tests or in the report or result returned to us following the referrals
- to your health insurance fund, Medicare or other organisations responsible for the financial aspects of your care
- where required by law, for example, pursuant to a subpoena
- to insurers or lawyers for the defence of a medical claim; and/or
- to assist with training and education of other health care professionals.
- to assist in locating a missing person
- to establish, exercise or defend an equitable claim
- for the purpose of confidential dispute resolution process
- Disclose DE-IDENTIFIED personal health information to a third party for research or quality improvement activities to improve individual, community health care and practice management. De-Identifiable information cannot be traced back to the individual.
- when there is a statutory requirement to share certain personal information (eg some diseases require mandatory notification)
- During the course of providing medical services, through Electronic Transfer of Prescriptions (eTP), MyHealth Record/PCEHR system (eg: via Shared Health Summary, Event Summary).
If you do not wish for your information to be used for training of health professionals please inform our receptionist.
Our practice does not intend to disclose your personal information to overseas recipients unless in a medical emergency situation.
We aim to ensure the information we hold about you is accurate, complete, up to date and relevant. To this end our staff may ask you to confirm that your personal details are correct when you attend a consultation. Please let us know if any of the information we hold about you is incorrect or not up to date.
SECURITY AND STORAGE
Our Practice takes all reasonable steps to protect the security of the personal information we hold, by:
1.securing our premises
2.using passwords on all electronic systems and databases and varying access levels to protect electronic information from unauthorised interference, access, modification or disclosure
3.storing hard copy records in secure filing cabinets or rooms that are accessible only to Practice staff.
ACCESS TO YOUR PERSONAL INFORMATION
Under law you have a right to access personal information we hold about you. Please contact our Practice Manager for more information on how you can Access your Medical Records and the paperwork that is required to be completed by you.
You will be required to put this request in writing to the Practice Manager or email firstname.lastname@example.org and she will respond within 30 days.
We ask that you put your request in writing. A fee for the retrieval and copying of your medical record will apply, charged in accordance with the schedule of fees specified in the Health Records Regulations 2008 (Vic), plus GST.
This fee is not redeemable through Medicare.
AMENDMENT OF YOUR PERSONAL INFORMATION
If you consider the information we hold about you is not correct, please contact the Practice Manager in writing email@example.com or speak to the receptionist. You will be given the appropriate paperwork to fill out so that your personal information can be amended. You have the right to have any incorrect information corrected. The practice will take reasonable steps to correct your personal information where the information is not accurate or up-to-date.
IF YOU CHOOSE TO WITHHOLD YOUR PERSONAL INFORMATION?
You are not obliged to give us your personal information. However, if you choose not to provide the Practice with the personal details requested, it may limit our ability to provide you with full service. We encourage you to discuss your concerns with our reception staff prior to your first consultation or with your doctor.
HOW WE WOULD DEAL WITH A BREACH, UNAUTHORISED ACCESS OR DISCLOSURE OF YOUR INFORMATION?
We take every care to ensure that our data security systems protect your electronic data.
If we have reason to suspect that there may have been unauthorised access to or unauthorised disclosure of your health information which we are unable to rectify we will comply with the requirements of the Privacy Act to notify you and the Office of the Australian Information Commissioner.
USE OF EMAIL:
Emailing of personal information is not a secure method of communication.
Should you however request information to be emailed to you, we will explain the risks associated with transmitting personal information in this way. If you would still like to continue with emailing information we will be required to obtain your verbal and written consent. We will then password protect all documents, notify you of the password verbally and email it to a verified email address. This process is a secure method and has a low privacy and security risk as per the Royal Australian College of General Practitioners: Using Email in General Practice – Guiding Principles.
We will not email your personal information without consent and password protection unless in the case of a medical emergency.
We will accept personal information via email from other healthcare providers and organisations involved in the management of your health.
USE OF SMS FOR APPOINTMENT AND HEALTH:
Appointment and health reminders will be sent via SMS. If you do not want to receive SMS notification please let our staff know so that you can be removed from our reminder system.
WHAT ABOUT USE OF PERSONAL INFORMATION FOR DIRECT MARKETING?
Australian privacy law limits the use of personal information for direct marketing of goods and services. We do not use your personal information for direct marketing.
WHAT YOU SHOULD DO IF YOU HAVE A PRIVACY COMPLAINT?
If you have a complaint regarding the way your personal information has been handled by our Practice, please put it in writing and address it to the practice manager: Antoinette Mignanelli via email: firstname.lastname@example.org. We will acknowledge receipt of your complaint within 14 days, and endeavour to provide a full response within 30 days of receipt.
Should you be dissatisfied with our response, you may lodge your written complaint with the Victorian Privacy Commissioner at privacy.vic.gov.au and/or the Health Complaints Commissioner at hcc.vic.gov.au.
You may also contact the OAIC. Generally the OAIC will require you to give them time to respond, before they will investigate. For further information visit www.oaic.gov.au or call the OAIC on 1300 336 002
Please direct any queries, concerns, complaints or requests for access to medical records to:
Brunswick Medical Group
4 Blyth Street, Brunswick, Vic, 3056 Ph: 9387 1977 email@example.com
Australian Privacy Principle’s (APP’s)
The Commonwealth Privacy Act was amended in 2012 and from March 2014 incorporates 13 Australian Privacy Principle’s (APP) that set out the rules for the handling of personal information in Australia.
From 12 March 2014, the Australian Privacy Principles (APPs) will replace the National Privacy Principles and Information Privacy Principles and will apply to organisations, and Australian Government (and Norfolk Island Government) agencies.
The Act will replace the existing nine Information Privacy Principles (IPPs) that apply to the public sector; the nine National Privacy Principles (NPPs) that apply to the private sector; along with 13 Australian Privacy Principles (APPs) that will apply to the public and private sector alike.
Health practitioners fall within the definition of an ‘organisation’ that handles ‘personal information’ so the APPs apply to them.
Personal information means information or an opinion – whether true or not – about an individual whose identity is apparent or can be reasonably ascertained.
In Victoria, health practitioners are also subject to the Health Records Act 2001 (Vic), which requires organisations dealing with health information to comply with the 11 Health Privacy Principles (HPPs).
The new APPs will apply in addition to the Victorian HPPs. The APPs are more similar to the existing HPPs than the federal principles they are replacing. This is good news for Victorian doctors because it means minimal changes will be required regarding the way health practitioners handle their patients’ personal information.
We inform our patients about our practice’s policies regarding the collection and management of their personal health information via:
- Brochures at reception
- Our patient information sheet
- New patient registration forms
SUMMARY OF AUSTRALIAN PRIVACY PRINCIPLES (APPS)
APP 1 OPEN AND TRANSPARENT MANAGEMENT OF PERSONAL INFORMATION
APP 2 ANONYMITY AND PSEUDONYMITY
Individuals must have the option of not identifying themselves, or using a pseudonym, unless impracticable or unlawful.
APP 3 COLLECTION OF SOLICITED INFORMATION
Sensitive information (including health information) must only be collected:
- with consent from the individual (or authorised guardian); and
- where reasonably necessary for the functions and activities of the practice (that is, the provision of health services).
Information should only be collected from the patient unless it is impracticable to do so.
Example: Information about a patient’s family member is collected while taking a history. This is acceptable if the information is reasonably necessary to treat the patient.
APP 4 DEALING WITH UNSOLICITED INFORMATION
Where an entity receives personal information it did not solicit, it must determine whether the information could have been collected under APP 3. If not, the information must be de-identified or destroyed.
APP 5 NOTIFICATION OF COLLECTION OF PERSONAL INFORMATION
Individuals must be made aware of the nature of the personal information the practice collects. This includes information on:
- accessing and amending medical records
- how to make a complaint
- whether information will be used for direct marketing or disclosed to overseas recipients.
The practice’s privacy and patient consent documents should cover these points.
APP 6 USE AND DISCLOSURE OF PERSONAL INFORMATION
Information collected by the practice must only be used for a primary purpose or a secondary purpose directly related to the primary purpose, and only where the patient has provided consent to the use or disclosure.
A ‘primary purpose’ is the reason the information was collected (for example, for the provision of health care)
A ‘secondary purpose’ is a purpose ancillary but closely related to the primary purpose. For example, using patient details for billing purposes, or disclosing patient details to a specialist for referral.
Disclosure may also be required by law, including where there is a:
- warrant from Police to access medical records
- subpoena to produce document or give evidence
- obligation of mandatory notification of child abuse or notifiable disease.
Use or disclosure for a secondary purpose is also lawful in ‘permitted general situations’, without consent of the patient. These most relevant of these include:
- where necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public and it is unreasonable/impracticable to obtain the patient’s consent. The threat need not be ‘imminent’ but it must be ‘serious’.
- in instances of suspected or actual unlawful activity or serious misconduct that relates to the practice’s functions and use or disclosure is necessary to take appropriate action.
- to locate a missing person – if the practice has a reasonable belief that the use or disclosure of personal information is reasonably necessary to locate a missing person. Example: medical records indicate a 17 yr old male who has been reported missing was proposing to travel interstate to meet a girl he met on facebook.
- to defend or establish a legal or equitable claim.
- to lawyers or insurers in response to complaints or claims.
- for confidential mediation/ADR processes – practices have the right to use or disclose patient information during a confidential alternative dispute resolution process such as mediation.
There are 3 ‘permitted health situations’ where a practice can use or disclose health or genetic information for a ‘secondary purpose’. These are:
- Research- if relevant to public health or safety and it is impracticable to obtain a patient’s consent. The research must be conducted in accordance with research guidelines and the practice must reasonably believe that the information will not be further disclosed by the recipient.
- Prevention of a serious threat to the life, safety or health of a genetic relative. Example: a female daughter may request access to her mother and grandmother’s medical records to determine the nature of their disease.
- Responsible person/Guardian – where a patient is either physically or mentally incapable of giving consent, a practice may disclose information to a responsible person or guardian where the disclosure is necessary to provide appropriate care or treatment to the patient or for ‘compassionate reasons’. The disclosure must not be contrary to the wishes of the patient and limited to the extent necessary for care or compassion.
APP 7 DIRECT MARKETING
The practice must not use personal information for direct marketing unless the individual has given specific consent for this to occur.
Direct marketing involves the use of personal information to communicate with an individual to promote goods and services.
Example: sending patients an SMS offering discounted services at the practice is direct marketing and not permitted. Direct marketing is permitted where an individual would have a reasonable expectation that this would occur and they can easily ‘opt out’.
APP 8 CROSS BORDER DISCLOSURE OF PERSONAL INFORMATION
If the practice is going to send personal information overseas, it must take reasonable steps to ensure the overseas recipient will not breach the APPs. There are exceptions where the overseas recipient has a similar enforceable law in place or the patient has consented after being expressly informed that information will be sent overseas.
Example: having a contract with an overseas cloud service provider that requires compliance with APPs.
APP 9 USE OF GOVERNMENT IDENTIFIERS
The practice must not adopt, use of disclose a government related identifier unless:
- the adoption, use or disclosure is required or authorised by law
- it is reasonably necessary to verify the identify of the individual.
- It is reasonably necessary to fulfil the obligations to a Commonwealth agency or state or territory authority;
- The practice believes it is reasonably necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public;
- The practice reasonably believes use or disclosure is necessary to take action in relation to suspected unlawful activity or misconduct of a serious nature
- The practice reasonably believes use or disclosure is necessary for enforcement related activities of an enforcement body.
A government related identifier includes a Medicare number, Centerlink reference number, driver’s licence or passport number.
Example: the practice is not permitted to use Medicare numbers as the basis for patient identification. However, a practice can view and record Medicare numbers to verify the identification of a patient and for billing purposes.
APP 10 QUALITY OF PERSONAL INFORMATION
Practices must take reasonable steps to ensure the personal information it collects uses or discloses is accurate, up to date complete and relevant.
APP 11 SECURITY OF PERSONAL INFORMATION
Practices must take reasonable steps to protect the personal information it holds from misuse, interference, loss, unauthorised access, modification or disclosure.
Example: Practices should issue staff with passwords to access patient databases that are changed on a regular basis, and store hard copy files in lockable filing cabinets or rooms, accessible only to authorised practice staff.
APP 12 ACCESS TO PERSONAL INFORMATION
The practice must, on request, provide a patient with access to their personal information within a reasonable time, unless an exception applies (see APP 6 above).
The practice is entitled to charge a ‘reasonable’ fee for access under the Privacy Act 1988 (Cth). The Victorian Health Records Act 2001 (Vic) sets specified fees for access to medical records. Further information on these fees can be obtained from AMA Victoria.
Any refusal must be accompanied by written reasons and information on how the patient may lodge a complaint.
APP 13 CORRECTION OF PERSONAL INFORMATION
A practice must take reasonable steps to ensure the personal information it holds is up to date, accurate, complete, relevant and not misleading. There is a positive obligation on practices to correct information where it is wrong.
The practice must acknowledge a request for an amendment to their medical records, within a reasonable time. No charge can be made for the practice making the requested changes.
Example: Reception staff should confirm the contact details of the patient are up to date when they present for an appointment.
HEALTH RECORDS ACT 2008 (VIC) OBLIGATIONS
In addition to the obligations imposed by the APPs under the Privacy Act 1988 (Cth), the Health Records Act 2008 (Vic) imposes 11 Health Privacy Principles (HPPs) which apply specifically to the collection, use, disclosure and handling of health information in Victoria.
The HPPs are substantially the same as the APPs and so it is not required to set them out separately. There are, however, two added obligations imposed by the HPPs that are not included in the APPs. These are:
HPP 10 – a practice must provide a patient with information about their medical record if the practice is transferred, sold or closed.
HPP 11 – a practice is required to transfer a patient’s health information to another health service provider upon request from the patient.