Education Toolkits

Privacy and managing health information in general practice

Privacy considerations summary

Last revised: 12 Jul 2024

Privacy considerations summary

This list of considerations should be used as a guide only and does not exhaustively describe the complete list of activities that should be undertaken when assessing privacy measures within your practice.

Each privacy consideration is included to guide you on what is required to address each question. The privacy considerations list is to help your practice:

  • assess its level of compliance to the laws governing health information
  • assess, achieve and maintain good privacy practice
  • identify areas requiring practice innovation and improvements, and to seek assistance where necessary.

Does your practice have an up-to-date, accurate, accessible and freely available privacy policy?

Your practice should have a policy that defines how to handle enquiries and complaints.

Does your practice have processes in place to ensure it holds accurate and up-to-date data at all times, including accurate health summaries and medication lists?

Your practice should develop a policy for everyone to understand and follow regarding how data is accurately collected and safely held.

Does your practice have a procedure for requesting and recording patient consent?

Do your practice staff understand the requirements surrounding this?

Consent might be sought for primary and secondary uses provided they are adequately stipulated. Although inferred consent might be relied on in certain circumstances, express consent (a signature or a documented positive response to a question) should always be sought.

Does your practice have defined processes to inform patients of when, what and how the practice collects health information?

Does your practice have a process or policy in place to handle requests for anonymity or pseudonymity?

This might include manual procedures, practice policies or the ability of your systems and software to handle the tasks.

Does your practice have procedures for handling patient requests for access to and correction of their information?

These procedures include assessment of requests, refusal procedures and administration fees.

Does your practice have a process for patients to opt in or out of marketing communications?

Ensure you communicate marketing options to your patients clearly and transparently.

Does your practice have procedures for conducting health research, including participant consent and notification?

This includes procedures for how to deal with requests for the secondary use of data. Refer to the RACGP’s resource for guidance and a decision-making support tool.

Does your practice have procedures to record occurrences of patient information use for quality improvement and continuing professional development?

Your practice’s privacy policy should disclose whether patient information is used for continuing professional development purposes and/or for quality-improvement activities.

Does your practice offer an information security level sufficient to ensure the safe and proper protection of the information it holds?

Does your practice have a process for document classification, retention, destruction and de-identification of patient information?

This will provide documented evidence of good practice in information security, including the secure disposal and de-identification of information and proper data retention periods.

This occurs when sharing information identifies the practice even though the patient health information might be de-identified.

Do your practice staff understand the restrictions on use of healthcare identifiers?

Educate staff on the requirements of the Health Identifiers Act 2010 and other government initiatives that your practice is engaged in.

Does your practice have a data breach response plan?

Your practice should have a regularly tested emergency response plan to deal with data breaches and a plan outlining how to, and who should, communicate a data breach.

 
 
This event attracts CPD points and can be self recorded

Did you know you can now log your CPD with a click of a button?

Create Quick log

Advertising