Criterion C6.3 – Confidentiality and privacy of health and other information

Why this is important

You must collect personal health information and then safeguard its confidentiality and privacy in accordance with:

• the Australian Privacy Principles (APPs) contained in the Privacy Act 1988
• long-standing legal and ethical confidentiality obligations
• other relevant state or territory laws (which may or may not be health specific).

You are subject to stringent privacy obligations because your practice provides health services and holds health information. Health information is a subset of personal information. Personal information is, by definition, sensitive; it requires more rigorous protection than non-sensitive information. Personal information can include any information collected in order to provide a health service, such as a person’s:

• name and address
• bank account details
• Medicare number
• health information (such as a medical or personal opinion) relating to their health, disability or health status.

Even if there is no name attached to particular details, some details about a person’s medical history or other information could identify the person, (eg details of an appointment). Therefore, this information is still considered health information and must be protected in accordance with the Privacy Act 1988.

If unauthorised people have access to prescription pads and/or other official documents they can misuse these documents, particularly to gain access to medication that has not been prescribed to them.

Meeting this Criterion

Consider and address:

• all privacy requirements
• how to manage the responsibilities of the practice team
• the risks associated with keeping health records.

This includes reviewing and developing policies about your practice’s use of:

• computer systems and IT security
• systems that automatically generate letters or referrals
• email
• social media
• file sharing applications.²⁸

Real-time audio/visual recording and duplication and storage of a consultation, including those via telehealth and those conducted remotely (see Criterion C6.4 – ‘Information security’) must never occur without the patient’s consent.

The RACGP’s Privacy and managing health information in general practice explains the safeguards and procedures that general practices need to implement in order to meet legal and ethical standards relating to privacy and security. Your medical defence organisation can also provide information and advice about developing relevant strategies.

A privacy policy

Your practice must document a privacy policy that addresses the management of patient health information, and must inform patients of the policy. Your privacy policy must be written in plain English, specify a review date, and address certain legal requirements, which include:

• information about collecting health records
  • the definition of a patient health record
  • the kinds of personal information that the practice collects and holds
  • how and why the practice collects, stores, uses, protects and discloses personal information
  • how patients can communicate with the practice anonymously
• patients’ interactions about their privacy and health information
  • how patients can access and correct personal information held by the practice
  • how a patient can complain about a breach of the APPs or of a registered APP code, and how the practice will deal with such a complaint
• disclosure of patients’ health information to a third party
  • obtaining informed patient consent when disclosing health information
  • to whom health information is likely to be disclosed
  • whether health information is likely to be disclosed overseas and, if so, where and how
  • how the practice uses document automation technologies, particularly so that only the relevant medical information is included in referral letters.

Refer to the RACGP’s privacy policy template.

For further information about privacy, visit the Office of the Australian Information Commissioner’s (OAIC’s) website at www.oaic.gov.au

Your practice must make your privacy policy available to patients. This could be on your website or reception staff could produce a copy when a patient asks for one.

Disclosure of patient health information to a responsible person

The Privacy Act 1988 permits an organisation to disclose necessary health information to an individual’s responsible person (such as a carer), providing:

• it is reasonably necessary, in the context of providing a health service to that individual
• the individual is physically or legally incapable of consenting or communicating that consent.

If a carer is seeking access to a patient’s health information, it is a good idea to seek advice from your medical defence organisation before giving the carer access to the information.

Secure transfer of health information

When communicating information about patients to health services and government agencies, always use secure electronic communication.²⁹

When transferring patient health information to others (eg patients, other health service providers, or in response to third-party requests), follow the processes in the APPs and all requirements of relevant state or territory laws addressing the transfer of patient health information.

For further advice about what information could be transferred, refer to the RACGP’s Managing external requests for patient information. 

Contact your insurers if you have any concerns about third-party requests for the transfer of patient health information.

Familiarity with requirements

The practice team must read and understand your privacy policy and understand the need for confidentiality of patient health information. As well as being familiar with the APPs, team members need to be familiar with the relevant state/territory laws about privacy and health records. For more information about privacy laws in each jurisdiction, visit the OAIC website at www.oaic.gov.au/privacy-law/other-privacy-jurisdictions

Appropriate access to patient health records and/or other official documents

Staff have a responsibility to use patient information only for its intended purpose and for the benefit of the patients. Access to patient records is given to members of the practice team so that they can perform their roles and provide efficient service to the patients and other team members.

Meeting each Indicator

C6.3 A Our patients are informed of how our practice manages confidentiality and their personal health information.

You must:

You could:

• maintain a patient health information management policy.

C6.3 B Our patients are informed of how they can gain access to their health information we hold.

You must:

You could:

• educate the practice team about the need for confidentiality and have each member sign a confidentiality agreement, which is stored in their employment file
• maintain a patient health records policy.

C6.3 C In response to valid requests, our practice transfers relevant patient health information in a timely, authorised, and secure manner.

You must:

You could:

• document in the patient’s health record their consent to communicate electronically
• undertake regular privacy training
• protect the patient’s privacy when communicating electronically with or about patients by using a secure message system or other method of encryption, unless the patient has provided informed consent to their information being sent without such protection.

C6.3 D Only authorised team members can access our patient health records, prescription pads, and other official documents.

You must:

You could:

• maintain a policy addressing the management of patient health information.