Sally: Today's webinar privacy and managing health information in general practice. My name is Sally and I'm the project coordinator for the RACGP Practice Technology and Management team, and I'll be your host for tonight. I'm joined by Dr David Adam who will deliver the presentation for you this evening. A bit more about Dr Adam. Dr Adam graduated from the University of Western Australia in 2010 and undertook general practice training outer urban and rural Western Australia. He currently works part-time in general Practice in Lockridge, as well as being a hospice doctor with the home hospice service. He is particularly interested in children's health and medical education. Dr David Adam is a member of the practice technology and management RACGP expert committee and presented workshops as a Digital Champion to members as part of the 2018 My Health Record education awareness program. David, welcome to the webinar.
David: Thanks very much.
Sally: David myself, myself and the RACGP would like to thank everyone for taking time out of your busy schedules to participate in this evenings webinar. Before we begin I would like to make an Acknowledgement to Country.
I would like to acknowledge the traditional owners of the respective lands on which we are meeting this evening and pay my respects to Elders past and present. I would also like to acknowledge any Aboriginal and Torres Strait Islander people present.
Sally: This webinar is presented in collaboration with the Australian Digital Health Agency.
Well David, I think it's time we started the presentation. So I'll hand it over to you.
David: Excellent. Thank you very much. And again a big welcome to everyone from all around the country. It's great to see lots of GPs joining us this evening and also some of their practice staff. Hopefully what we'll be able to do for you tonight is give you a good overview of the obligations you have around collecting, using in disclosing patient information, as well as looking at patient access to information, external requests for information and some of the obligations you have around protecting that information. And finally, in case your practice doesn't really have one will talk about some tools you have to implement a practice privacy policy. It's always interesting, we did one of these earlier today in business hours and the number of non-GPs with significantly higher, so I know this is probably at the end of a long consulting day for you. Thank you very much for your attention and hopefully I'll be able to cover as much material as we can and answer someof your questions.
So the agenda tonight. The first thing we're going to do is talk about some of the key concepts and the legislation that apply to information collection and privacy. Look about how we manage Information Management around patients and in general practice more generally, talk about some of the resources that are available and particularly some of the states and territories advice on privacy and we hopefully have time for some questions and answers as well.
So just to start off, let's talk about some of the core concepts around collecting patient information. I think it's pretty reasonable that that we can all understand that we collect information about our patients and that's around the provision of healthcare services. It seems like a daft thing to say but it does need to be said that we shouldn't be collecting patient information unless that's reasonably necessary for the delivery of healthcare, and ideally when the patient consents, although of course content is not specifically required when it's very unreasonable to seek it or collection is necessary to lessen of prevent serious threat to life or health or safety. Again seems like something that should be obvious but our practices must only collect personal information by lawful and fair means, which means without being unreasonably intrusive or using methods of intimidation. And while that wouldn't come up in most of our typical clinical general practice, certainly concerns around intimidation or coercion com to the fore in mental health services and in similar areas where they might be an imbalance of power.
Finally any information that you wouldn't have ordinary collected that comes into position. So that is unsolicited information, should be destroyed, unless there's a way that you would have collected it otherwise. An example that I like is discharge summaries, where you haven't specifically requested that the hospital send you a copy of a discharge summary or clinical handover, and if you receive that unsolicited and you look after the patient, normally, I think it would be fair to assume that you would have received that via the patient if it wasn’t sent to you directly. On the other hand if you receive information about a patient, who you don't know at all then that information should not be retained and should be destroyed and de identified. We'll talk about some of the methods on that later
In the context of a general practice, I think is reasonable to consider that a patient who attends and is willing to engage in the consultation consents, unless their consent is expressly revoked. Of course, our advice is always that you should specifically collect the patients express consent. For example in your signed admittance form to the practice. There are two terms I want to clarify and want to note, because we're going to be using them s lot tonight. And that's around primary and secondary use. So primary use of health information is what we all think about when we're providing health services. And so that is the information that's directly related to the healthcare services provided.
So for example information about history, examination and treatments, information that you receive or send to people other than their treating GPs, so referrals to hospitals or specialists, internal assessment (to assess the feasibility of particular treatment). But it also includes things like management, funding, complaint handling, planning evaluation and accreditation. Primary use also covers disclosure to experts or to lawyers, such as medical defence organisations under the protection of attorney-client privilege and that is around adverse incident in the event of legal proceedings. And of course any of us who have who are under supervision or who have supervised doctors when they be registrar's or others in our practice, you know, I think it's fair to say that the use of the disclosure of information for supervisors be covered under that primary use.
Secondary use is therefore everything else. So anything that is used outside of direct healthcare delivery. And secondary use generally requires patient consent of some form or another. And unless it's directly related to the healthcare some examples of this include analysis, research, quality and safety measurement, some accreditation certification activities, any marketing and any other business application.
I want to talk specifically about the secondary use of de-identified practice data and just remind all participants that practices are not obliged to provide healthcare data for secondary use outside of practice unless it's been absolutely mandated to do so by the government. For example that includes some cancer screening programs. And even if your practice takes part in secondary use, patients should be able to opt out from providing even de-identified data. We certainly encourage you to participate in initiatives that contribute to quality improvement and to better health outcomes. So you really need to be able to make a decision within your practice about whether the request for secondary use of your patients healthcare data is appropriate. For example, PHNs sometimes seek population health data to improve the support that they provide. Data provided really needs to be carefully de-identified with respect to the confidential nature of the patient, and the provider, and the practice.
It seems like a week doesn't go by without a new re-identification attack on the de-identified data, either in health literature or information security literature. And so the concept of de-identified data is actually very tricky one. We'll talk a little bit more about some of the important things around that a bit later. Your patients need to be assured that any data collection is held in accordance with the Privacy Act and we talk about that later. You're going to be sent now the link to the RACGPS resource on the secondary use of general practice data, so that includes identifiable and de- identified data and that will be available to you now.
Speaking of research. I think many of our practices do take part in health research and you will be interested to see who that is a little bit later on. If you're taking part in research, then you may use or disclose the health information that you've collected about patience. It is interesting that when patients are surveyed, that expectations around that are actually quite varied. So it's important to limit you use or disclosure except the specifically obtained consent. The legal and ethical principles too that govern health research make it clear that research participant consent is absolutely paramount and the patient should be able to understand what the research involves, the ways in which their information will be used or disclosed and the risks of benefits of participating, particularly around the publishing of potentially identifiable information. For more information, there is some statements from the NHMRC and the Therapeutic Goods Administration on clinical trials and ethical conduct is human research which will send it to you now.
But I guess we just be interested to know how many practices participating health research.
Sally: Yes, David, thank you. We've just put a polling question up. Does your practice participate in health research? Yes. No. Not interested. No, but we would like to unsure or not applicable. If everyone can just answer, that would be great.
Okay, I'm just sharing that with you now David.
David: Thanks. It's really great to see that so many of our practices are involved in health research. I think like anyone in primary care, I think that primary care led research for good evidence based medicine is really important. So thank you for your involvement and hopefully some of the things we talked about you'll be able to recognise from the way that you’re handling the health information your patients. For those of you that are in my position, our practice used to be involved in a lot of the research but isn't anymore. But I think we’d quite like to be. There is another webinar being run by the RACGPs Education Services Division, on getting into general practice research which is coming up reasonably soon. If you're interested one of the things they'll talk about is consent and the use of patient information. So you'll have the messages now about the various guidelines from the Therapeutic Goods Administration and the National Health and Medical Research Foundations statement on ethical conduct.
Many of these concepts are on screen now will be familiar to you. But I'm just going to run quickly through about the different types of consent and some of the terms that you hear us use around consent for information. So I think it's fair to say that patients have the ethical legal right to make informed decisions about their health. And informed consent forms the basis for many of the Privacy Act exemptions, permitting collection, use and disclosure. So obtaining informed consent should be a key guiding principle for all of us in general practice. We note that many medico-legal proceedings result from failure to obtain this consent. And I think one of the things about informed consent is the informed bit - they must have sufficient information and they must be able to make appropriate decisions about it.
That is context dependent of course, but for example with health information, it may include details of the scope of the use of information and any disclosure, any benefits or risk them and any referral or treatment needs. Inferred and express consent are two ends of the spectrum. Express consent is what we’re mostly familiar with around procedures where a patient signs or clearly articulate their agreement. Implied or inferred consent is where circumstances are such that you are able to reasonably infer that the patient has content and I think the example that always gets used there is implied consent is used when you walk up to a patient's bedside when you're training or in the hospital systems and say “I need to take a blood test from you” and they extend their arm and lift up their shirt sleeves. They are not necessarily saying yes in a verbal fashion, but they are clearly consenting to the whole process. Where those are appropriate is that really express consent should be sought wherever practical and especially where significant clinical risk is likely. So for example, a major procedure or surgery, a signed form is an example and it's certainly easy to demonstrate should there be any questions at a later date.
But informative and well-documented discussion with the patient may equally satisfy that requirement. Really inferred consent should only be relied upon when express consent cannot be recently obtained. So don't overestimate the scope of any inferred consent. Of course along with any free choice, any free action, is the chance to withdraw consent or withhold consent. And around the way that healthcare information is managed, we certainly encourage care when treating patients who refuse to provide certain health information, or withhold consent for particular healthcare. For example, we've got a patient in our practice who refuses to sign our privacy statement. And so we're always just very careful about clarifying any management of healthcare information with that person. Now, this is particularly problematic, of course, if the possibility of detrimental outcomes exists if certain information is not collected or used and you really have to clearly explain that to the patient.
So in the circumstances we recommend that you make detailed notes about that discussion and the patients decision and the ultimate outcome. All of these things are affected, of course by competence and capacity to provide consent and we know some patients are not competent to provide that consent. State and territory guardianship legislation can provide a bit of a framework for obtaining substitute consent on behalf of patients who are incompetent, and certainly if a situation arises where you're not sure, then seeking appropriate advice is very reasonable. Age-related consent is generally dealt with at the state or territory level, although there is some federal common law around that. And I think most of us will be familiar with the concept of a mature minor, or the Gillett competency test - as a rule a child sufficiently mature to understand and make decisions around their health information if they can understand what you have happened to it and they can make the kind of reasoning that we expect from a competent person. The final term on the screen is standing consent - this is a term that you hear a lot around the use of the My Health Record, which is where legislation has been put in place to say that if a consumer or a patient has a signed up for the My Health Record, or they haven't opted out of the My Health Record, they have provided a standing consent for you to view and upload information. So this is an authority under the law. With the My Health Record there's no requirement for a provider to obtain consent on each occasion prior to uploading clinical information or downloading from it. The My Health Record legislation certainly doesn't prevent you from accessing or viewing My Health Record outside of the consultation. You need to be aware that around the My Health Record, that patients and consumers can choose to restrict access to specific documents or even their entire record by establishing access codes and they can set up auditing so that they get a text or an email to let them know in real time when someone access their record. There is a break glass function in My Health Record, but that's very carefully audited. Certainly nobody should ever use that except in a real emergency. You'll be sent around in your chat box now, our guide on the use of the My Health Record. If you are participating in that system, or eager to know more about it, that's a valuable resource.
And finally, there are a number of laws and codes that affect patient privacy and our management of healthcare information. The laws and similar things that you're most likely to be exposed to are firstly the Privacy Act, which is a federal government or federal piece of legislation and that includes the 13 Australian privacy principles. There are some states that have specific healthcare record legislation - Victoria and New South Wales and the ACT are the ones we know about and although that legislation operates concurrently to the federal Privacy Act, it's broadly consistent with the same principles. But My Health Record has a special act that looks at how information can be used and disclosed and collected. And although it's not legislation the Medical Board of Australia's code of conduct, which you might know as good medical practice is a document that we need to be aware of because we are held to it. That document outlines principles that we must be aware of - that includes protecting patients privacy and confidentiality. And patients have a right to expect that their doctors and their staff will hold information about them in conference unless the release of information is required by law or public interest considerations. More information on these topics can be found in the document you'll be sent the link to now, which is the RACGP ‘Privacy and managing health information in general practice’ guide. We’ll talk a little bit more about that later.
Okay, so moving on to the various ways that patient information can be transferred. We talked a lot about holding it in the practice and the collection of it, but now we're going to talk about around transfers. We'd like to put a poll up now and I'll get Sally to pop that up. So if you can check the most appropriate box that you think describes patients access to their medical records.
Sally: Yes. Thank you David. So patients have access to their medical records with a) no restrictions b) with certain legal restrictions or c) but only as much as you want to them to see. If you can select the most appropriate one, that would be great. Thank you.
David: That's really interesting. Okay, so we'll talk more about that in a minute. But I guess it's sometimes a surprise to me that, and patients often have different expectations around this as well. Certainly, they don't have unfettered access to their record, but we certainly need good reason to deny any access the record.
So those of us who feel that ‘only as much as you want them to see’ we need to have really good reasons for excluding information from any access to records that you give them. And we'll talk more about what those exclusions that are permissible are. Many patients assume that they own their record but in fact, we created it, we store on our systems and we are the owner of it - generally speaking the practice or the treating GP. It varies a bit depending on your business arrangements and certainly sole practitioner own their records. Those of us that are contractors or employees will have something in their employment or contracts with the practice about who owns the record. And generally speaking it's the practice. If you're in a partnership or you're an owner of a practice, then you may have a claim to some shared interest over some of the records and those of us who own Incorporated practice, you own its assets which includes medical records. And really the ownership of records should be settled by written agreement. In the absence of such agreements ownership may be dependent on the nature of the relationship between the GPs. So certainly getting something written down and seeking appropriate professional advice before you enter into any agreement is really important. We would hate there to be a dispute at a later date.
Patients may access all their personal information held by their practice subject to really limited exemptions. So where a patient does have access you may always consider having a usual treating GP be available to clarify contents and to discuss any concerns with the patient. Some State legislation requires access requests to be made in writing but regardless of which state you’re in it’s probably a good idea. It's certainly preferable for your practice to require any requests in writing wherever impossible, just so it's clear exactly what information is being requested. The obligation is on your practice to provide the information in the manner requested by the patient. Although it may be unreasonable under circumstances to, for example, hand over an entire medical record. I certainly wouldn't encourage you to release, original paper files into the patient's hand. For example, you are entitled to make that assessment and consider acceptable alternatives. So you could provide a copy for the patient and the patient might just want to review the record at the practice. You need to consider your needs and the patient's. The question we get asked a lot is ‘can I charge a patient for accessing their records?’ Although you can charge a fee for providing access, you can't charge a fee to submit a request. The fee has to be reasonable for things like the cost of printing, the time taken to collate the file and so on. There is no definitive guidance of what a reasonable fee is although some State Health Departments to provide some guidance on this but you know, make sure you consider the person's circumstances and capacity to pay when determining whether you're going to charge for it. You need to be familiar with the grounds on which you may refuse to provide access where necessary and in particular your practice should consider the risk of distress to other patients.
For example, you may consider refusing access when that would lead to significant distress or lead to self harm or harm to another person. If health information of another patient is contained within the record. If the requesting patients information is disclosed by another patient in confidence and that that disclosing that information would lead to risk to another. And particularly around the possibility of domestic abuse or child abuse. So if you're considering refusing access, it may be worth getting professional advice, for example from your medical defence organisation. I your practice is accredited it will have a privacy policy and even if you're not accredited, I think having a privacy policy that really good idea. The RACGP has a privacy policy template and a pamphlet that goes along with it and we’ll send you a link to that now.
Okay transfer of care between practices. So as you know, despite the old view of family medicine being ‘cradle to grave’ many patients in this day and age move, or move practices, and they may request, or their new GP may request, that you transfer their existing records across. It can be fairly extensive and I'm sure we've all had records where they've been pages and pages and pages of information. So it may be useful to put together a succinct set of information that you always want to transfer. We have a document called ‘Managing external requests for patient information’ and that's where this flowchart comes from. This document has a flow chart about when we need to transfer care and so on. If you are selling your practice, or you know between body corporates, this is a tricky area, you know privacy legislation doesn't actually fully cover what this looks like. We would say it is ideal to obtain consent from patients before transferring during the sale of a practice. We will talk a little bit more about what's involved in that at a later stage of the presentation.
I'm sure like me you've all received many requests from third parties of many kinds –lawyers, insurers and other third parties, about information or for comprehensive records of a specific patient. You may be obliged to disclose that information in certain circumstances, but more often you’re requested to do so and I certainly think that providing records to facilitate resolution of disputes is generally in the interests of patients unless they claim things that aren't true and I think it's in the public interest as well. So you will receive requests for patient records, before you provide that information to a third party, it's really important that patient consent is provided.
You really need to consider what information is relevant for the proposed purpose. So patients generally expect, and this is quite reasonable I think, that only the necessary subset of their information will be disclosed or transferred. So you may not be justified in handing over a copy of the entire medical record if that information does not relate to the condition for which the referrals being made or requested. You may wish to carefully examine your Authority for disclosure and seek advice or seek confirmation from the patient. The example I always use is when an entire medical file is requested under the work cover, or workers compensation, consent. I think many patients don't actually fully realise exactly what they're signing when you sign their first medical certificate or their first certificate of capacity. If you receive a request for a comprehensive record, it would be well worth your time just to confirm that with the patient. Again, there's a good flow chart on that in that resource on managing external requests for patient information.
The My Health Record is a whole other kettle of fish and we talk about those different requirements shortly.
Finally, if you are particularly unlucky, you may receive a requirement to produce information as part of the legal process. So that's a subpoena or a court order or a summons. Those generally arise when the patient is suing you or another organisation and the medical records are relevant. So subpoenas or court orders are an exception permitting disclosure. Although we definitely encourage you to closely examine the scope of any discovery or subpoena because court will generally require that those orders only request records that are reasonably necessary and relevant to the preceding. These orders and some other legal processes such as mandatory reporting or communicable disease reporting, are exception to the usual principles of patient privacy. So if you're unsure about complying with the one of those legally required exceptions, you can always seek advice from your medical defence organisation. I think it's probably good practice at least the first few times you receive a subpoena or a court order that you speak to them just to clarify what your rights and obligations and to make them aware.
When a GP is requested to provide a full record, you’re generally obligated to comply but various clinical systems, when you say print the entire patient record, different software packages have different ideas about what that mean. So our resource on managing external requests for patient information includes the data set of what a comprehensive medical record should include. And that includes such things as demographics, the health summary, the old front page type thing, progress notes, letters, reports, and so on.
Finally, the My Health Record, as mentioned is a little bit of a different situation. So if you're issued with a subpoena, that's generally for information in your local records, not from the My Health Record. It's important to note that insurers and employers can't request information that at any stage was sourced from My Health Record, for any employment or insurance purposes. And that's one of the changes that came in when the opt-out process for My Health Record was taking place. If you're issued with a court order, which is a court order made under the My Health Record legislation, then you would need to provide that information. I think it would be unusual for general practices to get a court order that requires My Health Record information to be released. Generally that would be sought from the system operator, which is the Australian Digital Health Agency. Of course, if you're not sure, seek advice from your medico-legal insurer.
Information being transferred overseas requires particular consideration around privacy implications. Certainly some countries have very different privacy standards. Some countries have little or no privacy standards. And once personal information is disclosed in an unregulated manner it's very difficult to regain control over it. It's very difficult to get it back in the barn. So the need for protection of information extends to the use of overseas data storage as well as the processing of patient information overseas. That’s things like transcription reporting services and so on. If you're sending patient information overseas, you are still responsible for it. We recommend that you seek specific patient consent and alerting patients to this possibility is certainly a requirement of privacy policies. It's not strictly necessary in circumstances where reasonable steps have been taken to ensure that the overseas recipient doesn't breach the privacy of that individual, so that you know if they are operating in a manner similar to here in Australia.
I'm going to talk a little bit now about the management of patient records. First that is around the retention of health records. So this means how long you keep records for when a patient is no longer attending the practice. There is specific legislation around this and the ACT, New South Wales and Victoria which outlines the minimum period of time for which records need to be kept. So that's basically seven years for adults or for children until they're 25. In any case it means me more than seven years after the last occasion on which the health service was provided that individual. So whichever is the later those two. In the remaining states, the retention of record periods that we've posted, come from the public sector and so they don't specifically apply to private organisations like most community general practices. I think you would have to have a pretty good reason not to comply with those. So if you're not sure then certainly take advice from your insurer.
Of course there are some exceptions and we'll talk about those around destruction as well. But you know, if you think it's likely the record will be involved in legal proceedings, it would be very unwise, and in fact not permissible, to destroy those records. I understand that in the Northern Territory there are certain records of Aboriginal or Torres Strait Islander people born before 1980 that can't be destroyed. So again, if you're not sure about that kind of thing on a state-based level, definitely check with your insurer. If a patient changes practices and you transfer their records, your practice is certainly not obliged to hold onto their record. I think all of us would agree that it would not be unusual for patients to transfer to another practice and then transfer back, or go over and decide that they didn’t like it, or move around the country. And so as soon as their registered post is in the mail, I'm not suggesting you should immediately delete their records. I think that would be a bit brave of you. You still need to be aware that there's a possibility they may return and getting that record back might take some time. If you do decide you don't need it anymore, you can certainly look into destruction of health records. You need to make sure that you've met those retention periods and that the record destruction is not prohibited. So again, if you think it's going to be involved in legal proceedings, it’s better to hang on to it. You must take reasonable steps to ensure that all health information is permanently either destroyed or de-identified. Now, that means more than just removing the patient's name. You need to make sure that there’s absolutely no prospect of the patient being identified from what remains of the record. We're going to put a polling question up there. I'll be interested to see what you think about which of these things can be used to potentially identify someone, or re-identify someone from a medical record.
Sally: Yes, thank you David. So you can select all that apply. So which of these items from medical record could be used to potentially identify someone a) name b) address c) date of birth d) postcode or e) list of medical problems? And you can select all that apply.
David: Okay. Oh, that's really good. So thanks everyone. It looks like most of you are aware that the common demographics of name, address and date of birth can certainly be used re-identify people. But you need to be aware that de-identification means that even the patient wouldn't recognise it as their own record. The list of medical problems is often, if not unique to someone, in combination with one of those other things, that certainly could be unique. And even the combination of postcode, sex and age (not that a birth but age), is often enough to narrow you down from 25 million Australians to one of a handful of Australians. So just be really aware that the de-identification of records is really really tricky, if you are deciding not to keep a record, I would strongly suggest destroying them.
All right. Now it should be talked a little bit earlier about if you sell the practice or you close the practice. I think it's fairly well understood that the records are an asset. And in fact, most (if not most then a significant proportion) of the general practices asset value is probably contained within the patients roll, and the information you collect about your patients. Unfortunately, the Privacy Act isn't particularly well-suited to the sale or transfer medical records between organisations for non-medical reasons. So if you were to sell up, you know, if you're a sole practitioner and you sell up to another general practice, it's sort of a bit unclear from the legislation. And from the Australian privacy policies about whether consent is required, from each patient whose medical record is being transferred, and you know, which parties require that consent. So some organizations suggest that it's just practically too difficult and therefore this need not be sought. I think wherever it's possible and practical, a long settlement period when selling is highly recommended, so that for the transfer of any medical records, consent can be obtained by a reasonable number of patients, either express or inferred. And there's a number of ways that you can do that. It might include direct consent forms, prominent notices about transfer of the records in the practice or sent to the patient or published in the local newspaper. You must make sure that before settlement of any sale, that you must maintain the records securely and prevent any unlawful access or modification, just as what you would even if you weren't selling the practice. Closing a practice is a slightly different scenario and you should again take reasonable steps to identify patients affected by the closure of any practice and to facilitate the transfer their record to another GP. Different states do have different requirements and guards are closure of general practices. For example legislation in Victorian requires that you publish a notice in the local newspaper saying that you're closing or selling the practice and detailing available which the practice proposes to deal with the medical records. That allows patients to be aware of what's going on and to consent, or to expressly withdraw consent for that transfer. If you are closing your practice or selling your practice, I'm sure you'll be seeking professional advice. And this is one of the things that you should be asking about. Any records that aren’t transferred when you sell the practice needs to be securely stored for the minimum length of time, as stipulated by legislation as we talked about earlier.
I think it's important to remember that My Health Record is not a replacement for your local clinical records. My Health Record, as most of you will be aware is a shared national electronic health record system. It does not supplant normal communication between providers. Sometimes some of our colleagues do need reminding of that. It certainly is a useful tool for those of you that are engaged in it, but it's not mandatory for any practice in Australia, or any practitioner, to be engaged in the My Health Record system. Patients have no direct control over what is recorded in your local system, but they do have the right of control in some manner of the information that's uploaded. For those of you that aren't familiar with My Health Record, there is basically a number of different documents that general practices would generally uploading to the My Health Record and the Shared Health Summary is one of them. It’s very similar to the old style front-page from the RACGP records. It's a document that contains information about medical history, medicines allergies, adverse reactions and immunisations. This is generally populated straight from your local records from your usual clinical information system. And I think those of us that are participating realise that the better quality our records are, the easier the process is. A Shared Health Summary must be created by someone called the patients Nominated Healthcare Provider and that's usually their regular GP. The Shared Health Summary is the one exception to the standing consent model discussed earlier. You do need to be aware that you need to seek confirmation that you are the Nominated Healthcare Provider for that patient in uploading the Shared Health Summary. Event summaries are the other kind of document that GPs create, and they’re used where you’re not the patient's user usual health care provider, so for example, if you are working in an after-hours GP clinic or hospital, or you seen a patient who's traveling. That’s when you create those Event Summary documents.
We're going to talk briefly now about privacy policies and the kind of privacy policies that should be in place in your practice. If you are an accredited practice, you must have a privacy policy and even if you aren't I think having it's a good idea. It must be freely available. Whether you've got printed copies at reception or in the waiting areas, or you put it on your website. The content is a little bit different between each practice because every practice has different processes, uses different software and so on. But in general we'd expect it to enable you to better manage patient inquiries or complaints concerning their health information. There is a template that the RACGP has developed. Its freely accessible - yours and my membership fees at work. So we might as well use the resources that are available. The other thing about a privacy policy is that it does actually have to reflect reality. You do need to follow what's in it. It covers how you collect, and use, and disclose personal information health information, how patients can access or correct it and how complaints can be made and how they will be dealt with. And remember some of those things we talked about earlier like disclosure of information overseas, that's a really good thing to be including in your practice policy. If you've never read your practice privacy policies, that's a really good thing to go away and do over the next day or two. I'm always been entertained by the fact that our says we can release information on national security grounds. I still don't really know what that means. And as far as I know it's never come up, but it's really important for you to be aware what you are asking patients to sign, when they sign up, and that's true whether you're a practice owner or a contractor for a practice. You may be surprised to find some obligations that you are not aware of and it will certainly help you answer any questions patients have. So, yes, you'll be sent around the that template now.
Finally, this is for practice owners. It's for contractors. It's for employees. It's for our reception staff. It's for our nursing staff. It’s for our administrative staff. This is for everyone. All practice team members should have a confidentiality and privacy agreement in place. Generally speaking you to ask them to sign that during induction and about the same time you get this on your internet and email use policy. This is really important to protect practice owners in the event of legal proceedings should information to be disclosed in a way that it shouldn't be. And it's also important that all of us in a practice are aware of our own personal obligation to the practice, to our patients and to each other. Along with that goes any service providers that you have need to have a really clear agreement with your practice as well around the management of health care information. And the standard example, that is your IT service provider. They are by default of their job going to have almost unfettered access to your clinical information systems. And although they are often experts in IT security, they may not be aware, especially if they're not a specialist IT health care provider, of some of the obligations that we have on us. I think healthcare is one of the most complex sectors in the world. I know an architect friend of mine always says that hospitals are harder to design than anything else, with airports and hotels coming in second and third. And I think that's probably true of healthcare information as well. We have many many constraints on our use of data, but we also share it with lots of people under certain circumstances. And so it's important that your IT service providers and anyone else who has lots of access to your health care information, knows what their obligations and your obligations are. Information on what to include in these agreements can be found in the RACGP’s Information Security guide, which we will send a link to now. I know we've sent lots and lots of resources around this stuff, because it is potentially a tricky area. So please do make good use of those.
Finally the My Health Record. Practices that are involved in the My Health Record system must have a My Health Record policy. That's required by the rules of My Health Record system. If you are participating then you will need to have a written policy that addresses a number of matters including how people are authorised to access it, what training and what information security measures are established the practice again. Please don't go away and try and write that from scratch. Our team has done the heavy lifting for you and we will send around a link to our My Health Record resource page which includes the policy template to use. You're certainly welcome to build on that.
There are some final considerations which I want to very quickly cover. And the first of those is communicating with patients via electronic means. So I guess the most common thing here is emailing patients about their information. Many of our patients are asking for us to communicate with them over emails and there are certainly some concerns that arise with using unsecured or an encrypted email to discuss or share health information with patients. And those are things like what if you sent it to the wrong person? what if they have their email on their laptop or their phone which gets stolen? what if they forward it without your knowledge? That's something that patients are certainly entitled to do but you just have to be aware that that's something that could happen and there is always the potential, like post and fax, that unsecured email is vulnerable to interception by unauthorised third parties. You’re not actually responsible for ensuring the security of the email while it's in transit or once it has been delivered to the recipient, but you need to make sure that you mitigate risks at the practice end. Which includes things like making sure their email is up to date and that its entered correctly. There are often claims that the RACGP or that other standards bodies have banned the use of email, and that's certainly not the case, but we just really encourage you to be very cautious and determine if it's clinically appropriate to discuss certain issues over email, Any relevant conversations you have needs to be recorded in the patient's health record and you need to apply the same principles that you do to a letter to the patient that might be open by another member of the family. I know certainly our recall system, we say in very general terms what recalls are required in order to avoid disclosing any particular information that may be sensitive to other members of the family if a letter is left lying around. We'll send you a link to our resource on using email in general practice and I believe that's due for an update in the near future. So hopefully there will be a new version out soon.
Finally marketing initiatives. I guess most of us don't think that we're actually engaged in marketing, but you can still be a little bit careful because promotional services, even those in the shape of a reminder or part of good clinical practice, may technically constitute direct marketing (so marketing where the ordinary retail environment is bypassed and you're promoting things directly to the customer). So you just have to be a little careful about clinical initiatives which might breach those laws. Letters that promote flu vaccination, that that may well be direct marketing. But if letters relating to ongoing care, that's much less likely to contravene privacy laws, especially if the patient's informed of scheduled assessments or similar, rather than specifically promoting any services. So you can always obtain patient consent item via opt-in or opt-out mechanisms on your registration sheets and particularly confirming that consent when patient presents to the practice. And you might even consider undertaking a direct consent campaign for the particular marketing and marketing initiatives.
All right. I know I've given you a huge amount of information tonight and I hope some would be useful. If you need further information or you're not clear on some of this stuff or you want more advice there is lots of information available out there. The links on the screen that you're seeing now are to state and federal government bodies, the Office of the Australian Information Commissioner is right at the top there. They are the federal government body that maintains things like the Australian privacy principle. And then each state will have its own office that's relevant to healthcare records.
We've also got a privacy resource which we took a look at earlier and that's produced by the RACGP Practice Technology and Management team and includes things like the policy template and the pamphlet that you can give out, as well as a lot of the things we've already talked about tonight. The resources are designed to align with current best practice and looks at things like the Australian privacy principles, the health record legislation and how you can comply with those things in the general practice setting. So lots of high-level staff, but not particularly tailored to any particular practice environment and unfortunately like anything it's not exhaustive. So if you are relying on its content or integrating into your practice policies and procedures it’s certainly worth seeking appropriate legal or professional advice. We will send you a link that again. All right a quick note from our sponsors here at the RACGP Practice Technology and Management Committee. As I say yours and my membership fees go into producing a lot of these wonderful resources. So we hope they’re useful and we want people to get something out of them.
We've covered some of the main areas of Interest tonight, but some of the other things that you may find useful are the RACGP’s Information security in general practice resource, the Secondary use of general practice data guide, the guide on improving healthcare record quality in general practice and our fact sheet on notifiable data breaches, which is a new legislative scheme bought in in February last year. So in some cases there are mandatory requirements for organisations who deliberately or inadvertently lose control of information and what they should do about that. So those links will be sent against you now and we've talked about some of those in previous or upcoming webinars. The Australian Digital Health Agency did help with some of the preparation this webinar. And so we've collaborated them on the information that's been provided. I think, speaking to staff at the agency, they're often concerned that people think all they do is the My Health Record. And while that's an important part of the national digital health strategy they are also working on secure messaging - so transfer of information between practices, on the big interoperability project which is designed to let the various software packages talk to each other directly rather than having to print out entire medical records and then scan them in at the next practice, which I think we're all getting a little bit too sick of. Their work on electronic prescribing and electronic prescriptions is really exciting for those of us that do home visits and hospice work, and particularly aged care. I think that's going to take a huge administrative burden off our reception and admin staff and we're looking forward to more of that coming in the future. It’s supposed to be starting in October, but I think there's going to be a bit of a phased introduction. And I've got some information around enhance models of care. So looking at children's health, digital pregnancy records, digital health checks for kids, that kind of thing. So lots of work being done by the ADHA. I think we'll send you some information about what those things are now.
And finally we're still running webinars this year. So recently we've done a number of webinars on the Notifiable Data Breaches Scheme, the My Health Record, information security, improving data quality in general practice. There was a really good one on SafeScript for those of us who are Victorian, and these technology in general practice. So coming up later in the year - next month we've got telehealth video consultations in general practice and in October were drilling down into some that secondary use of general practice data, which we've talked about earlier. So there's a link coming around now to those webinars. Hopefully, we'll catch you at one of those soon.
So that's all I've got to say. I'll head back to Sally.
Sally: Yes. Thanks David. Thanks for giving us a great overview of privacy and managing health information. And now as promised we have allocated some time to answer your questions and we hope you will stay with us and participate. Also, please note that this presentation is being recorded and will be made available online in the coming weeks. Okay. So if you would like to ask David a question, please type it into the message box in your control panel And we've had some questions come through during the presentation. So I'll just kick off with the first one David “does having birthday greetings to patients on a public board in the surgery violate patient privacy?”
David: I'd be really careful about doing that. I think that that may well break someone's privacy. You've got to remember that the patients date of birth is information that can actually be used to access an enormous amount of information about them and that many of us would prefer not for people not to know when their birthday is. I'd be very nervous about doing this. I certainly wouldn’t do that in my practice. I’d be very careful if that's something you're going to do.
Sally: Okay. Thank you. And this one's about transfer of medical records. “Are clinics allowed to delay transfer of medical records when a doctor moves clinics, if a patient signs a release of Records?”
David: Yeah, look, I think we've all experienced the delay of the transfer. This is no reason that the practices should be doing that. I think your patient safety is what is paramount and patients have a very reasonable expectation that their information is transferred in an appropriate fashion. If practices are delaying the transfer just because the doctor has moved practices and they don't want to, I’d bet that's really not a good enough reason. You just need to make sure that, for example, in your employment contracts or your contractor arrangements with your practice, that if you do leave the practice, they may have some caveats over restraint of trade around saying those patients will not be able to get their records transferred. So in the general case, I don't think that's an appropriate thing to do at all and think I think ‘well what if they do it out of spite?’ Well, you know, that's really not a good enough reason.
Sally: Okay, and is it legal to charge for your time to submit a subpoena?
David: Well, look, it's legal to charge for anything you like whether or not you get paid is an entirely separate matter. It really depends on the jurisdiction, it depends on the court, remembering that a subpoena is something that you are required to comply with. So if you request reasonable costs for complying with that, you may be paid but if they refuse to pay you, then that doesn't excuse you from your from your requirements. I think there was quite a good thread on one of the social media platforms about whether or not complying with requests or asking for money first is wise. You do have to remember that the court orders must be complied with, otherwise you’re potentially in contempt of court which can involve jail time. So you're certainly welcome to ask the money whether or not you get it. Actually I’ve received a summons and that basically says if you submit a request for reasonable costs or loss of income, they we will pay it in some circumstances. But again, it's very much of the pleasure of the court. So, you're welcome to submit a request for payment. Even if they don't pay up you may still be required to attend. So just be aware of that.
Sally: Okay. Thanks David. And I think we've got time for one more question. And that is “how do you destroy x-rays where the patient won't take them?”
David: Well, look, if you're my practice, we just hang on to them until the heat death of the universe. I think that sounds kind of funny but it's really important not to just throw them in the bin. Many old X-ray films to contain valuable or poisonous chemicals and compounds. Most Radiology firms will have a process for securing the recycling of those films. And so you should speak to the providing radiologist about destruction of films. Now, if you've got films from half a dozen different providers I recognise that is going to take some time. Some practices or some radiology practices might be willing to take films that they haven’t produced. Some might not, so definitely discuss that with your radiologist.
Sally: Okay. Thanks David. Well that brings us to the end of tonight's webinar. Thanks so much for a great presentation, David.
David: Thanks for having me. I really hope everyone learned something tonight.