Key points
- Your practice must take reasonable steps to protect personal information it holds:
- from misuse, interference and loss
- from unauthorised access, modification or disclosure.
- Cross-border disclosures must be preceded by reasonable steps to ensure no privacy breaches will occur.
Practices should refer to the RACGP’s resources on protecting your practice information to ensure best practice is followed for information security.
Risk assessments
Adopting appropriate information security measures is vital to ensure health information is protected,13 and these should cover information systems for storing, processing and transmitting information.
Practices should develop and implement appropriate policies and procedures specifying which staff have access to health information and under what circumstances. It is recommended practices regularly audit these measures and perform practice risk assessments as appropriate.
Physical measures for protecting the security of health information include having locked filing cabinets and security alarm systems to detect unauthorised access, and ensuring there is no unauthorised after-hours access to the practice.13
For information stored electronically, security measures may include password protection, automatic log offs, log file/electronic audit trails, firewalls, malware and virus protection, and ensuring the encryption of data for high-risk transmissions.
Electronic transfer of information
Electronic transfers of information are governed by the same privacy principles regarding the use and disclosure of that information.
Prior to sending any electronic communication GPs should ensure secure encryption protocols are in place and operating effectively. Although unlikely, email can be intercepted, retrieved and read by unintended recipients without authorisation.
For further information, refer to the RACGP’s resources on using email in general practice.
Patient communication via electronic mediums
The ease of and access to sending and receiving messages electronically means patients are using this medium more frequently to contact their general practice.
The Australian Health Practitioner Regulation Agency’s National Board policy for registered health practitioners: Social media policy14 is an adjunct to the Medical Board of Australia’s Good medical practice: A code of conduct for doctors in Australia and should be read concurrently. Its provisions apply to all registered health practitioners.
Your practice needs to address what content is appropriate to send and discuss via electronic messaging. A policy should be developed concerning the safe use of electronic communication for both practice and patients. It should be noted the full implications of the Privacy Act apply to any electronic communication, and online privacy breaches may be far more significant than the same breach using paper communication.
Patients are highly unlikely to send encrypted emails, so content within an email should be limited in scope. Due to the inherent insecure nature of the internet, health information should not be sent through unsecured channels. Where possible, secure message delivery should be used between practices with compatible encryption processes.
Secure destruction and de-identification
Unnecessary health information should be destroyed securely to prevent unauthorised access. Prior to destruction,consideration needs to be given to the relevant retention requirements under any applicable health legislation (refer to Section 3.3.3. Retention and destruction of medical records).
Secure deletion occurs where the records are no longer accessible through normal or forensic means. Ordinarily, deletion from a database does not totally erase the record nor does it remove the record from the hard disk or other storage medium. Unless data is erased and overwritten multiple times, the data may remain on the storage medium and be accessible forensically.
Deleting individual patient records may not be possible due to practice software limitations. Where relevant, advice should be sought from software vendors or other professionals.
More information on secure deletion of data can be found in the RACGP’s resource Effective solutions for e-waste in your practice.
Case study 4: International consultation
Dr Murray, a GP, has been approached by a patient with a particular abscess on his leg.
During the consultation, Dr Murray recalls a seminar he attended that discussed very similar wounds, led by a professor from Canada.
Dr Murray considers it appropriate to refer the wounds to the professor, and so takes several photographs of the abscess on his patient’s leg. These photographs were later emailed to Canada along with pertinent extracts of the patient’s notes (including some personal information).
Unwittingly, Dr Murray is likely to have breached the cross-border disclosure laws. Dr Murray could have managed the situation better if he:
- sent the photographs in a de-identified form
- sought the patient’s informed consent to the disclosure
- investigated the privacy laws that apply in Canada
- sought the professor’s assurance that the photographs would be examined in strict confidence, prior to sending them, and that they would be destroyed afterwards.
Security policy
It is recommended your practice develops and implements an information security policy. Such a policy will assist in ensuring organisational systems used for processing and storing, or transmitting, personal information, are managed and protected appropriately.
To be effective, security policies must be known by practice staff and monitored and reviewed on a regular basis.3