Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Access myCPD through the new myRACGP Dashboard

Standards for general practices (4th edition)

including Interpretive guide for Aboriginal and Torres Strait Islander health services

Standard 4.2 Management of health information

Our practice has an effective system for managing patient information.

Criterion 4.2.1

Confidentiality and privacy of health information

Our practice collects personal health information and safeguards its confidentiality and privacy in accordance with Australian Privacy Principles.

Indicators

► A. Our practice team can describe how we ensure the confidentiality of patient health records.

► B. Our practice team can demonstrate how patient health records can be accessed by an appropriate team member when required.

► C. Our practice team can describe the processes we use to provide patients with access to their health information.

► D. Our practice team can demonstrate how patients are informed about our practice’s policy regarding management of their personal health information.

► E. Our practice team can describe the procedures for transferring relevant patient health information to another service provider.

► F. Our practice team can demonstrate how we facilitate the timely, authorised and secure transfer of patient health information in relation to valid requests.

► G. When we collect patient health information for quality improvement or professional development activities, we only transfer identified patient health information to a third party once informed patient consent has been obtained. Amended in May 2013.

► H. Whenever any member of our practice team is conducting research involving our patients, we can demonstrate that the research has appropriate approval from an ethics committee.

Explanation

Key points

  • Privacy of health information is a legislative requirement
  • The practice needs to have a documented privacy policy for the management of patient health information
  • Patients need to be informed about the practice’s privacy policy
  • Guidelines on Australian Privacy Principles will assist general practices to meet their legal obligations in relation to the collection, use and disclosure of health information.

Personal information and health information

The Privacy Act 1988 applies to personal information. Health information is a particular subset of personal information and can include any information collected to provide a health service, such as a person’s name, address, account details, Medicare number and any health information such as a medical or personal opinion about a person’s health, disability or health status.

Sometimes details about a person’s medical history or other contextual information such as details of an appointment can identify them, even if no name is attached to that information. This is still considered health information and as such it must be protected under the Privacy Act 1988.

Australian Privacy Principles

In March 2014, privacy law reforms introduced the Australian Privacy Principles (APPs) into the Privacy Act 1988. The APPs regulate the handling of personal information by both Australian government agencies and some private sector organisations. The reforms compliment the culture of confidentiality that exists in general practice.

Practices should familiarise with the APPs, including the Australian Privacy Principle Guidelines published by the Office of the Australian Information Commissioner. The Guidelines are available at www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines

RACGP Handbook

The RACGP Handbook for the management of health information in general practice (3rd edition) provides further information about safeguards and procedures required by general practices in order to meet appropriate legal and ethical standards concerning the privacy and security of patient records.

RACGP Computer and Information security standards (CISS)

‘Compliance indicators for the Australian Privacy Principles’ is an addendum to the Computer and information security standards (2nd edition) (CISS)and is designed to assist general practice to meet its legal obligations of the APPs. CISS provides a brief explanation of each APP requirement and the steps general practices need to take to ensure compliance.

State privacy legislation

As well as being familiar with the APPs, practices need to be familiar with the relevant state/territory privacy and health records legislation (where relevant) as this will also impact on the way in which practices manage patient health information. For more information visit www.oaic.gov.au or the local state equivalent.

Practice privacy policy

The RACGP has developed a privacy policy template for general practices to assist compliance with the requirements of the APPs. The template is titled the APP privacy policy: managing patient health information.

Communicating with patients

A practice’s privacy policy can be made available to patients in a number of ways including a sign at reception, a separate brochure and a section of the patient information sheet or a notice/link on the practice website.

The Privacy Act 1988 sets out two compulsory mechanisms for informing patients about how their health information will be used.

  1. A practice privacy policy. Organisations are required to provide this policy on request and commonly satisfy this requirement by making their privacy policy available on their website or on a sign at reception.
  2. A ‘collection statement’ which contains prescribed information, including the following:
  • the identity of the practice and how to contact it
  • the fact information is collected and the circumstances of that collection
  • the fact that patients can access their own heath information
  • the purpose for which the information is collected
  • other organisations to which the practice usually discloses patient health information
  • any law that requires the particular information to be collected
  • the main consequence for the individual if important health information is not provided
  • the existence of a supporting privacy policy.

Patient consent

Patient consent should be obtained at an early stage in the process of clinical care. It is important to distinguish between consent to treatment and consent to the handling of patient health information even if such consent processes happen to occur at the same time.

Consent may be written (ideal) or verbal, and may be provided by way of:

  • express consent, such as where the patient signs or clearly articulates their agreement
  • implied (or inferred) consent, where the circumstances are such to reasonably infer the patient has consented.

Transfer of health information

The correct process for transferring patient health information to others, such as other health service providers or in response to third party requests, is outlined in section 2 ‘Use and Disclosure’ in the OFPC Guidelines on Privacy in the Private Health Sector. Practices are advised to contact their insurers if they have any concerns about third party requests for the transfer of patient health information.

Research

Research is an important component of general practice in Australia. Practices are encouraged to participate in research both within their own practice and through reputable external bodies.

If a practice is using de-identified patient health information, there are still some situations in which a practice should obtain informed patient consent, and some situations where informed patient consent is not required. Consent requirements, when using de-identified data, will be decided by a Human Research Ethics Committee.

Further information about research in general practice, including the requirements for ethics approval, can be found in the National Health and Medical Research Council’s (NHMRC) National statement on ethical conduct in human research available at www.nhmrc.gov.au/_files_nhmrc/file/publications/synopses/e72-jul09.pdf

Quality improvement

For a quality improvement activity to be undertaken within a general practice, where the primary purpose is to monitor, evaluate or improve the quality of healthcare delivered by the practice, ethics approval is not required.

Clinical audits using a tool such as the Clinical Audit Tool (CAT) (see Criterion 3.1.1 Quality improvement activities) or ‘plan, do, study, act’ cycles undertaken within a general practice as part of a quality improvement activity do not require ethics approval. For example, a practice wishing to determine how many of its pregnant patients are given advice on smoking cessation, or how many patients with heart failure are prescribed ACE inhibitors and beta blockers, may complete an audit on their practice data.

In general, a practice’s quality improvement or clinical audit activities for the purpose of seeking to improve the delivery of a particular treatment or service would not be considered a directly related secondary purpose for information use or disclosure. In other words, it is likely the practice would need to seek specific consent for this use of patients’ health information for clinical audit activities.

To ensure patients understand and have reasonable expectations of quality improvement activities, practices are encouraged to include information about quality improvement activities and clinical audits in the practice policy on managing health information. Ideally, express consent for these activities will be obtained upon patient registration.

Disclosure of health information to carers

The disclosure of necessary health information by an organisation to an individual’s responsible person (such as a carer) is permitted by the Privacy Act 1988, providing it is reasonably necessary, in the context of providing a health service to that individual and the individual is physically or legally incapable of consenting or communicating that consent. If a situation arises where a carer is seeking access to a patient’s health information, practices are encouraged to contact their medical defence organisation for advice before such access is granted.

Practice closures

The correct process for handling patient health information on the closure of a practice can be accessed from the Office of the Australian Information Commissioner at www.oaic.gov.au

Standard 4.2 Management of health information

Our practice has an effective system for managing patient information.

Criterion 4.2.1

Confidentiality and privacy of health information

Our practice collects personal health information and safeguards its confidentiality and privacy in accordance with Australian Privacy Principles.

In a nutshell

The law requires your health service to maintain the confidentiality and privacy of personal health information in relation to the way it collects, uses and makes available this information. This criterion requires your service to have in place a documented privacy policy in line with Australian Privacy Principles, and to make sure patients are aware of the policy. See Criterion 4.2.1 Confidentiality and privacy of health information of the Standards for general practices for more information about what the privacy policy should cover.

Further information regarding the Australian Privacy Principles is available from the Office of the Australian Information Commissioner at www.oaic.gov.au

Key team members

  • CEO/directors
  • Health service manager
  • All staff

Key organisational functions

  • Patient communication and informed choice
  • Patient complaints policy and process
  • Patient confidentiality and privacy policy
  • Patient consent policy
  • Patient health information management policy
  • Patient health records policy
  • Patient informed consent policy
  • Patient records management system
  • Patient records policy and processes
  • Patient rights policy
  • Patient telephone and electronic communications policy
  • Research policy
  • Ethics approval guidelines

Indicators and what they mean

Table 4.3 explains each of the indicators for this criterion. Refer to Criterion 4.2.1 Confidentiality and privacy of health information of the Standards for general practices for more information and explanations of some of the concepts referred to in this criterion. 

Table 4.3 Criterion 4.2.1: Confidentiality and privacy of health information
IndicatorWhat this means and handy hints
▶ A. Our practice team can describe how we ensure the confidentiality of patient health records. A patient confidentiality and privacy policy is advised. It should clearly describe how patient information is collected, recorded, stored and used. Your policy could outline:
  • what information is collected
  • why information is collected
  • how the information is recorded and stored
  • how your health service maintains the confidentiality of information it holds.
Staff must clearly understand how they need to apply relevant elements of the policy or process to protect patient confidentiality. These elements would include that patients have individual health records and only authorised staff have access to those records, and that patient health information is not transferred to a third party – including another healthcare provider – without the patient’s consent.
▶ B. Our practice team can demonstrate how patient health records can be accessed by an appropriate team member when required. Your service has a documented health service privacy policy and staff can describe how particular elements of the policy are applied to give nominated members of the team specified access to health records. Patient health information is collected for the purposes of delivering health services, and should only be accessed, when needed, by an appropriate staff member. This means that not every staff member should or could access patient information. The health service’s privacy policy could outline:
  • the people (for example, doctors, nurses or AHWs) with full access to patient health records
  • the people with limited access to patient health records
    • the scope of that access; that is, what kind of information they can access, when and for what purposes. For example, administrative staff may be authorised to access name, address and date of birth for patient identification purposes and for keeping patient contact information up to date when patients present to the health service
  • the people with no access at all to patient health records.
Generally speaking, access to patient health information will be authorised for treating clinicians, but not for other staff.

For clinicians who are relatives of a patient at the health service, accessing patient health information would need to be considered on the same basis; that is, if the relative is a treating clinician, access would be authorised. However your health service would need to consider an additional caveat in deciding whether such access would be fully appropriate. See section 3.14 from the Australian Medical Council code of conduct:
Whenever possible, avoid providing medical care to anyone with whom you have a close personal relationship. In most cases, providing care to close friends, those you work with and family members is inappropriate because of the lack of objectivity, possible discontinuity of care, and risks to the doctor and patient. In some cases, providing care to those close to you is unavoidable. Whenever this is the case, good medical practice requires recognition and careful management of these issues.
See www.amc.org.au/images/Final_Code.pdf
▶ C. Our practice team can describe the processes we use to provide patients with access to their health information. Your service has a documented health service privacy policy and staff can describe how particular elements of the policy are applied to meet patients’ rights to request access to their own health information. The policy could outline how patients can request access to their health information (for example, by submitting a form) and how your health service would normally make information available (for example, a copy of the health summary is normally provided and an administration fee normally applies for copies of reports).

Note that there may be situations where doctors withhold patient health information (such as where access to that information will pose a serious threat to the life or health of any individual). Where doctors are concerned about providing information to their patients, they are strongly advised to talk to their medical indemnity insurers. This scenario could be outlined in the privacy policy.
▶ D. Our practice team can demonstrate how patients are informed about our practice’s policy regarding management of their personal health information. There are two compulsory components to communicating with patients about your health service’s privacy policy.
  1. You are required to provide a copy of your privacy policy upon request. You can also satisfy this requirement by making your policy available on your website or on a sign at reception.
  2. You are required to provide a collection statement that sets out information about:
    1. the identity of your health service and how it can be contacted
    2. how patients can access their own health information on request
    3. the purpose for which information is collected
    4. other organisations to whom your health service usually discloses patient health information
    5. any laws that require particular information to be collected
    6. the main consequences for the patient if important health information is not provided.
An important aspect of communicating these requirements for ACCHSs is the need to provide the information in an easily understood format due to language and cultural barriers. This is particularly the case where there may be perceived cultural sensitivities. It is highly recommended that the design and provision of this information be made in consultation with the relevant local community or cultural advisors.
▶ E. Our practice team can describe the procedures for transferring relevant patient health information to another service provider. It is important that the provision of patient health information to third parties or other service providers is made in accordance with written policies and processes. The relevant policy and procedures could include:
  • how your health service gains patient consent before disclosing their personal information to third parties
  • the process of providing health information to another service provider
  • how your health service informs patients of the processes in place (for example, through a brochure or your service website).
▶ F. Our practice team can demonstrate how we facilitate the timely, authorised and secure transfer of patient health information in relation to valid requests. Section 2.3 Use and disclosure with consent of the Privacy in the private health sector (see Other information for Standard 4.2) sets out the correct process for transferring patient health information to others, such as other health service providers or in response to third-party requests. Keep in mind that these guidelines were developed for private sector and non-government health service organisations.

It is strongly advised that your health service establishes a written document that sets out clear processes for your clinical team to ensure timely, authorised and secure transfer of patient health information. It is suggested that this policy includes:
  • a definition of valid requests, providing examples of what would constitute valid and non-valid requests
  • a procedure that promotes timely responses to requests, and timely transfer of documents
  • provision for resourcing of clinical team members concerned about third-party requests (such as information and/or contacts of relevant insurers)
  • procedures for managing complaints about patients’ requests for access to their own health information.
▶ G. When we collect patient health information for quality improvement or professional development activities, we only transfer identified patient health information to a third party once informed patient consent has been obtained. Amended in May 2013 Health services are encouraged to use patient health information for internal quality improvement or professional development activities that seek to improve a particular treatment or service offered by the health service. But it is important that no patient can be identified from this information.

Where de-identified and aggregated patient health information is being used by your health service for such quality improvement activities, then additional patient consent for the use of their health information is not necessary.

Where a practice is providing patient health information or data to a third party for research purposes, there are some situations where informed consent is required, and there are some situations where informed consent is not required. The requirement for consent when using de-identified data will be decided by a Human Research Ethics Committee. Amended in May 2013.

To ensure patients understand how their (de-identified and aggregated) health information may be used for internal quality improvement purposes it is recommended that this is explained in your health service’s privacy policy.

This indicator was reviewed by the RACGP in May 2013.
▶ H. Whenever any member of our practice team is conducting research involving our patients, we can demonstrate that the research has appropriate approval from an ethics committee. If your health service, or any of its staff, conducts research about its patients, the service needs to obtain human research ethics approval from an independent ethics committee.

Information about research in general practice, including requirements for ethics approval, can be found in the NHMRC’s National statement on ethical conduct in research involving humans (see Other information for Standard 4.2).

Obtaining ethics approval for research about patients is important because it helps your health service to ensure that:
  • the research will have potential benefits for patients, your health service itself and/or the local community
  • the research avoids the over-researched syndrome experienced by some Aboriginal and Torres Strait Islander communities
  • the research is planned and conducted with the full involvement of the community (‘Not about us without us’)
  • patient rights are protected
  • there is compliance with special cultural and ethical issues in research involving people from Aboriginal or Torres Strait Islander background.
There are separate ethical considerations regarding research with Indigenous and vulnerable peoples that may not come into play when researching other populations. These include differing world views and approaches to research, recognition of Indigenous vulnerability, and Indigenous knowledge. Additionally, there are recognised characteristics of Indigeneity that impact on research; these characteristics include ecological ties, human encounters, autonomy and self-determination.

There are some well-established protocols in researching Aboriginal and Torres Strait Islander peoples that take into account cultural and ethical issues. See the Other information for Standard 4.2 for these.

Case study

Below is a description of the ways in which an Aboriginal community controlled health service can ensure that it has an effective system for managing patient information. Not all of these good practices are required by the Standards, but they illustrate the many practical and creative things that ACCHSs can do to ensure they deliver services of high safety and quality to their community.

The health service has a documented privacy policy that reflects key legislation and is written in plain English and other community languages so that all staff and patients clearly understand what it says. The policy clearly defines confidentiality and privacy in relation to health information and documents procedures for the management of patient information.

The confidentiality and privacy policy and procedure manual includes:

  • procedures for informing new and existing patients about privacy arrangements in relation to health information in the service
  • details about which staff members may have access to patient health records and to what level they can access this information – for example, reception staff can only access demographic information but doctors have full access
  • details about how patients can request access to their own health information
  • processes for sharing patient health information with third parties in an authorised, secure and timely way – for example, the transfer of health records or referral to a specialist
  • information on how the service maintains privacy of patient health information in relation to other uses – for example, for quality improvement and professional development
  • information on how the service deals with complaints about privacy in relation to health information
  • details about how privacy is maintained when using patient data for quality improvement activities or when conducting research.

Staff position descriptions clearly state their roles and responsibilities in relation to confidentiality and privacy, and these are appropriate for their job. When they start employment, staff and volunteers are required to sign a confidentiality agreement in relation to health information; this is kept in their file. Privacy and confidentiality in relation to health information is clearly emphasised at orientation and in ongoing staff training. The policy emphasises that breaches are viewed as grounds for termination of employment.

The privacy policy in relation to health information includes a clause stating that any research activities involving patients of the health service require Human Research Ethics Committee approval, which will decide if informed patient consent is required. Amended in May 2013.

A research-specific consent form is used to clearly identify the difference between consent for treatment or a procedure and consent for research. Any issues or changes that arise in relation to confidentiality and privacy are discussed at staff meetings and documented in the policy and procedures if necessary.

A privacy notice is displayed in the waiting room detailing how the service collects, uses and shares patient health information.

De-identified patient information is used by the service for internal quality improvement processes, preventive health activities and health-promotion planning. This information is not used for any other purpose.

The service uses a community engagement process (through the board) to identify priorities for research about patients, the health service itself or the community. 

Showing how you meet Criterion 4.2.1

Below are some of the ways in which an Aboriginal community controlled health service might choose to demonstrate how it meets the requirements of this criterion for accreditation against the Standards. Please use the following as examples only, because your service may choose other, better-suited, forms of evidence to show how it meets the criterion.

  • Maintain a privacy policy and procedures.
  • Maintain confidentiality agreements in staff contracts and staff files.
  • Show that you utilise staff orientation and induction.
  • Show that you utilise staff interviews.
  • Maintain a patient health information management policy.
  • Maintain a patient health records policy.
  • Maintain a patient rights and responsibilities document as for Criterion 2.1.1.
  • Maintain a research policy and ethics approval guidelines.
  • Document ethics approval for all research conducted by staff of the health service that involves health service patients.

Related RACGP criteria

Search Standards Advanced Search
Search Interpretive guide Advanced Search

The Royal Australian College of General Practitioners

General enquiries

Opening hours 8:00 am-8:00 pm AEST

1800 4RACGP

1800 472 247 | +61 (3) 8699 0300 (international)

Follow us on

Follow RACGP on Twitter Follow RACGP on Facebook Follow RACGP on LinkedIn


Healthy Profession. Healthy Australia Logo

The Royal Australian College of General Practitioners (RACGP) ABN 34 000 223 807
RACGP House, 100 Wellington Parade, East Melbourne, Victoria 3002 Australia

Terms and conditions | Privacy statement
Sponsor conditions | Delegate conditions