Privacy and managing health information in general practice

Privacy and information security

Last revised: 24 May 2023

Privacy and information security

Effective information security practices and policies are essential to ensure the privacy of health and business information. Additionally, the use of healthcare identifiers instead of names is useful to protect privacy along with establishing clear policies for the use of information in health research.

Topics in this section:

Privacy and information security

  • Your practice must protect personal information it holds from:
    • misuse, interference and loss
    • unauthorised access, modification or disclosure.
  • Cross-border disclosures (ie disclosing information to an overseas recipient or using cloud computing companies) must first undergo a thorough risk assessment to ensure no privacy breaches will occur.
  • As previously discussed, it is essential for your practice to:
    • conduct in-depth risk assessments
    • ensure safe electronic transfer of information
    • safely communicate via electronic mediums with patients
    • securely de-identify and destroy patient data
    • have an effective and updated security policy.
  • Practices should refer to the RACGP Information security in general practice resource for guidance and further information on information and cyber security.

Case study: International consultation

Dr Murray, a GP, has been approached by a patient with an abscess on his leg. During the consultation, Dr Murray remembers a seminar, led by a professor from Canada, that discussed very similar wounds.

Dr Murray considers it appropriate to refer the wounds to the professor and takes several photographs of the abscess on his patient’s leg. These photographs were later emailed to Canada along with significant extracts of the patient’s notes (including some personal information).

Inadvertently, Dr Murray is likely to have breached the cross-border disclosure laws. Dr Murray could have managed the situation better if he:

  • sent the photographs in a de-identified form
  • sought the patient’s informed consent to the disclosure
  • investigated the privacy laws that apply in Canada
  • sought the professor’s assurance that the photographs would be examined in strict confidence, before sending them, and that they would be destroyed afterwards.

Create a policy: Clear screen

Your practice policy and procedures should include clearing screens for privacy.

Your policy should cover the following:

  • remember to exit the previous patient’s electronic file before the next patient enters the consulting room
  • position computer monitors to keep information private, including computers used by reception staff at the front desk
  • use ‘clear screen’ function keys, which instantly close down an open file or switch off the monitor
  • use password-protected screensavers
  • log off when leaving computers unattended or use automatic session time-outs.

Create a policy: Clear desk

Your practice policy and procedures should include clearing desks for the purpose of securing information and data.

Your policy should remind staff that:

  • at the end of each day, each practice team member clears their desks of all documents, notes and media
  • all documents should be removed from printers and fax machines immediately after being copied, sent or received.