Privacy and managing health information in general practice

Privacy considerations: A summary

Last revised: 24 May 2023

Privacy considerations: A summary

 

Privacy considerations summary

This list of considerations should be used as a guide only and does not exhaustively describe the complete list of activities that should be undertaken when assessing privacy measures within your practice.

Each privacy consideration is included to guide you on what is required to address each question. The privacy considerations list is to help your practice:

  • assess its level of compliance to the laws governing health information
  • assess, achieve and maintain good privacy practice
  • identify areas requiring practice innovation and improvements, and to seek assistance where necessary.

 

Privacy considerations

Establishing a practice privacy policy

Does your practice have an up-to-date, accurate, accessible and freely available privacy policy?

Your practice should have a policy that defines how to handle enquiries and complaints.

Quality and content of medical records

Does your practice have processes in place to ensure it holds accurate and up-to-date data at all times, including accurate health summaries and medication lists?

Your practice should develop a policy for everyone to understand and follow regarding how data is accurately collected and safely held.

Patient consent

Does your practice have a procedure for requesting and recording patient consent?

Do your practice staff understand the requirements surrounding this?

Consent might be sought for primary and secondary uses provided they are adequately stipulated. Although inferred consent might be relied on in certain circumstances, express consent (a signature or a documented positive response to a question) should always be sought.

Collecting health information

Does your practice have defined processes to inform patients of when, what and how the practice collects health information?

Does your practice have a process or policy in place to handle requests for anonymity or pseudonymity?

This might include manual procedures, practice policies or the ability of your systems and software to handle the tasks.

Patient access to personal information

Does your practice have procedures for handling patient requests for access to and correction of their information?

These procedures include assessment of requests, refusal procedures and administration fees.

Use and disclosure of personal information

Does your practice have a process for patients to opt in or out of marketing communications?

Ensure you communicate marketing options to your patients clearly and transparently.

Medical research

Does your practice have procedures for conducting health research, including participant consent and notification?

This includes procedures for how to deal with requests for the secondary use of data. Refer to the RACGP’s Secondary use of general practice data resource for guidance and a decision-making support tool.

Quality improvement and continuing professional development

Does your practice have procedures to record occurrences of patient information use for quality improvement and continuing professional development?

Your practice’s privacy policy should disclose whether patient information is used for continuing professional development purposes and/or for quality-improvement activities.

Information security and data retention

Does your practice offer an information security level sufficient to ensure the safe and proper protection of the information it holds?

Does your practice have a process for document classification, retention, destruction and de-identification of patient information?

This will provide documented evidence of good practice in information security, including the secure disposal and de-identification of information and proper data retention periods.

Healthcare provider identification

Does your practice have a process for identifying the need for, and recording of, the consent of a healthcare practitioner?

This occurs when sharing information identifies the practice even though the patient health information might be de-identified.

Healthcare identifiers

Do your practice staff understand the restrictions on use of healthcare identifiers?

Educate staff on the requirements of the Health Identifiers Act 2010 and other government initiatives that your practice is engaged in.

Mandatory data breach notification plan

Does your practice have a data breach response plan?

Your practice should have a regularly tested emergency response plan to deal with data breaches and a plan outlining how to, and who should, communicate a data breach.


 
  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].

Advertising