Criterion 4.2.2 Information security
The security of patient health information in our health service is maintained.
► A. Our practice team can demonstrate that the personal health information of patients of our practice (including medication charts) is neither stored nor left visible, in areas where nonhealth service staff have unrestricted access or where constant staff supervision is not easily provided (interview, direct observation).
► B. Our practice ensures that our practice computers and servers comply with the RACGP computer security checklist and that (interview, direct observation):
- computers are only accessible via individual password access to those in the practice team who have appropriate levels of authorisation
- computers have screensavers or other automated privacy protection devices that are enabled to prevent unauthorised access to computers
- servers are backed up and checked at frequent intervals, consistent with a documented information disaster recovery plan
- back up information is stored in a secure offsite environment
- computers are protected by antivirus software that is installed and updated regularly
- computers connected to the internet are protected by appropriate hardware and software firewalls.
► C. If our practice uses computers to store personal health information, we have an information disaster recovery plan that has been developed, tested and documented (document review).
► D. Our practice has a designated person with primary responsibility for the practice’s electronic systems and computer security (interview).
► E. Our communication devices are accessible only to authorised staff (document review).
The RACGP Handbook for the management of health information in private medical practice (www.racgp.org.au)52 and the RACGP Computer security guidelines (3rd edition)53 (www.racgp.org.au/ehealth/csg) provide information on the safeguards and procedures that need to be followed by general practices in order to meet appropriate legal and ethical standards concerning privacy and security of patient health information. These documents also contain suggestions for additional security procedures. The Commonwealth Privacy Act 2001 states that a patient’s ‘personal health information’ includes a person’s name, address, account details and any health information (including medical or personal opinions) about the person. Sometimes details about a person’s medical history or other contextual information can identify them, even if no name is attached to that information and so this is still considered ‘personal health information’. Further information is available from www.privacy.gov.au.54
It is likely that health services will have different levels of access to patient health information for different staff members. For example, administrative staff may not have full access to patient health information. The type of staff who are authorised to access different levels of patient health information needs to be documented in the policy and procedure manual.
The health service must ensure that both active and inactive patient health records are kept and stored securely. Health records should not be accessible to staff of departmental staff or the prison’s management company. If a patient’s health record needs to be accessed in response to a third party request, health service staff should only provide access to information specific to the request, in accordance with the Commonwealth Privacy Act 2001.55
An inactive patient health record is generally considered to be the record of a patient who is no longer incarcerated in the prison. It is recommended that inactive patient health records are retained by the health service indefinitely or as stipulated by relevant state or territory legislative requirements for prisons.
Staff need to ensure the confidentiality and security of patient health information and any equipment used to record, store or communicate such information (eg. computers, memory sticks or paper files). The presence of an additional person during the normal opening hours of the health service (besides the GP or another member of the clinical team) should increase security and safety for patients and staff and reduce the risk of unauthorised access to patient health information (see Criterion 4.2.1: Confidentiality and privacy of health information).
When a health service uses computers to store patient health information, the health service needs to undertake regular back ups and have a documented information disaster recovery plan to protect and save electronic information in the event of an emergency (eg. power failure).
The RACGP Computer security guidelines56 provides a self assessment guide and security checklist, and has information about information disaster recovery plans (www.racgp.org.au/ehealth/csg).