Information management relating to general practice

The use of health information for business purposes

Patients would reasonably expect their personal information to be used for the following secondary purposes. Therefore, specific consent would not be required for:

• ‘normal internal business practice, such as auditing, business planning’³
• billing or debt-recovery (confidentiality should be maintained).

This expectation will likely extend to practice staff having access to patient health information for these same purposes.

Advice confirming this should be sought prior to a particular disclosure to a third-party service provider engaged for these purposes.

Group practices

In group practices that allocate GPs to patients on the basis of availability, a patient’s health information will be disclosed to and used by whichever GP sees the patient.

New patients should be made aware of this rolling or rotating use of GPs. Patients should be made aware of the consulting GP when booking their appointment. It is reasonable to infer consent to the use and disclosure of the patient’s health information in this context if the patient does not otherwise object to seeing the allocated GP.

This principle extends to the incorporation of new GPs into existing practices or partnerships. While the primary purpose of using the health information is the provision of healthcare services by the practice, it is still technically a disclosure requiring prior consent under the privacy laws. It is possible to infer consent when a patient has sought a consultation with the new GP.

Transfers between related bodies corporate

There is no express permission to transfer health information between related bodies corporate or service trusts. Ideally patient consent to this transfer should be obtained.

Corporate practices and practices employing service trusts should therefore ensure each involved entity has sufficient consent to undertake its activities (one discloses, the other collects) to avoid interfering with a patient’s privacy.

Privacy considerations

A significant proportion of a general practice’s asset value is contained within the practice’s patient roll, and it is unlikely that a practice would be sold without it.

The Privacy Act is not particularly well adapted to the sale or transfer of medical records. Medical records would be transferred when a sale by a sole practitioner or an unincorporated practice involved the transfer of the general practice business (the medical files being one asset of that business).

Although the transferring of records containing health information occurs as part of a business sale, it is unclear whether consent is required from each patient whose medical record is being transferred and which parties require that consent. Some organisations suggest the transfer of medical records in this circumstance involves practicality issues and therefore consent need not be sought.

However, where possible and practical, a long settlement period is recommended for business or asset sales involving medical record transfer. This will allow consent to be obtained from a greater number of patients (either express or inferred) through consent forms or prominent notices of the transfer of the records, either in the practice or provided to the patient.

Prior to and during this settlement period, vendors must be careful to maintain the records securely and prevent unlawful access, modification, use or disclosure, and avoid inadvertent and unlawful disclosure of any personal information to the purchaser.

When asked to facilitate due diligence, vendors may consider restricting access to only selected purchaser personnel and only permitting the inspection of medical records (and not their reproduction). Providing de-identified documents may be appropriate.¹¹

Vendor GPs should also be aware that medical records may need to be retained (or at least accessed) for insurance or other medico-legal purposes. It is important the sale agreement and patient consents permit this.

If the sale is of shares in an incorporated general practice, there is no transfer of personal information (it is retained within the company), and privacy concerns will not apply to the transfer itself.

Deceased GPs

If a practice closes due to a GP’s death, the practice staff (or the executor in the case of a sole practitioner) should take reasonable steps to notify patients and organise transfer of their medical records to another GP.

Health record legislation

There are additional requirements for the transfer or closure of a general practice under current health records legislation.

For example, legislation in Victoria and the ACT require practices to publish a notice in a local newspaper stating that the practice is closing or being sold, and detailing the manner in which the practice proposes to deal with the medical records.

Where necessary, advice should be sought.

Maintaining accurate and complete medical records

It is important medical records are accurate, up-to-date, comprehensive and legible. GPs must take reasonable steps to ensure the health information and consultation notes they hold are well organised. Medical records should at all times be sufficiently detailed and accessible to allow another GP to continue the management of the patient.

Your practice should use a follow-up system (subject to patient consent) to ensure patients are regularly seen and medical records are maintained accurately and contain up-to-date information. The marketing aspects of such a system should be considered (refer to Section 3.4. Marketing).

Ownership

Patients do not own their medical record. Ownership may vary as follows:

• Sole practitioners retain full ownership over their medical records.
• Contract and employee GPs are likely to be creating medical records for their principal or employer, and unlikely to own these themselves.
• GPs operating in a partnership may have a claim to a shared partnership interest over some or all of the totality of medical records.
• GPs who own an incorporated practice own its assets and this usually includes the medical records; in the absence of any agreement specifying otherwise, multiple owners own the medical records jointly.

The ownership of medical records is most often settled by written agreement. In the absence of such an agreement, ownership may be dependent on the nature of the relationship between the GPs.

It is recommended the ownership of medical records is clarified before GPs commence at a new practice, to avoid any later dispute when a departing GP proposes to take records with them. It is recommended that appropriate advice is sought prior to entering into any such agreement.

Despite the above, GPs are required under the Medical Board of Australia’s Good medical practice: A code of conduct for doctors in Australia to promptly facilitate the transfer of health information when requested by a patient.⁷  

Retention and destruction of medical records

Your practice should retain health information as required, and in accordance with the applicable laws.

The Privacy Act requires health information to be destroyed or permanently de-identified once it is no longer needed for any authorised use or disclosure.

However, the ACT, NSW and Victoria require medical records to be retained until a child turns 25, and for adults, for seven years from the date of the provision of the last health service. This overrides the Privacy Act.

Under some state and territory legislation, the destruction of any medical record is prevented when such record is likely to be involved in legal proceedings. It is recommended to seek advice on the current limitation periods applicable to your practice.

GPs must take reasonable steps to destroy or permanently de-identify health information following the expiry of these periods.

De-identification

Your practice may choose to permanently de-identify health information rather than destroy it. Care should be taken to ensure there is no prospect of the patient being identified from the remaining information.

The de-identification of health information is more than simply removing the patient’s name. Any identifying information contained in the medical record must be deleted or destroyed to ensure anonymity.

Whenever the information is in the form of individual data sets, there is a risk the data set could be linked to a particular individual based on details of age, postcode and medical condition. The more information included in the data set, the greater the risk of identification.

Even where data is aggregated, care is needed to ensure the number of people in each ‘cohort’ or sub-group is sufficient to ensure the privacy of the individuals is not compromised. For example, the relevant NHMRC guidelines specify a minimum of five sets of individual’s data in each cohort.¹²

Prohibitions on direct marketing

General practices may not ordinarily consider themselves to engage in marketing activities. However, any promotion of a practice’s services, even as scheduled reminders or as part of good clinical practice, may technically constitute direct marketing and therefore an interference with privacy.

Direct marketing refers to a marketing technique in which the ordinary retail environment is bypassed with the vendor promoting goods and services directly to customers. The regulation of direct marketing is much tighter with health information, and its boundaries in general practice are currently unclear. Practices should note many day-to-day clinical initiatives may inadvertently breach these laws. For example, letters that use or disclose personal information promoting commercial services to advise patients about flu vaccinations are likely to constitute direct marketing.

In contrast, the Australian Privacy Commissioner considers that letters relating to ongoing care are less likely to contravene privacy laws, especially if the letters merely inform the patient of scheduled assessments and do not specifically promote any services.

To avoid inadvertently breaching these laws practices should obtain patient consent by:

• requesting consent (via opt-in or opt-out mechanisms) on patient registration sheets and recording this consent in the management software
• asking for consent as patients present to the practice
• undertaking a directed consent campaign.

GPs must ensure they have adequate procedures in place to ensure marketing messages are not sent to patients who have expressed their refusal.

The Spam Act and Do Not Call Register

The Privacy Act defers to the operation of the Spam Act 2003 and the Do Not Call Register Act 2006.

As a general rule, these acts prohibit practices from sending unsolicited communications (by email, text message or phone call) with the aim of selling goods or services, or inducing the sale of the same. Practices sending solicited communications must ensure they meet any requirements in doing so, such as providing an unsubscribe function for mobile text message reminders.

It is important practices are aware of the applicable prohibitions (and their exceptions) when sending electronic (email or text messages) or telephone communications.

Risk assessments

Adopting appropriate information security measures is vital to ensure health information is protected,¹³ and these should cover information systems for storing, processing and transmitting information.

Practices should develop and implement appropriate policies and procedures specifying which staff have access to health information and under what circumstances. It is recommended practices regularly audit these measures and perform practice risk assessments as appropriate.

Physical measures for protecting the security of health information include having locked filing cabinets and security alarm systems to detect unauthorised access, and ensuring there is no unauthorised after-hours access to the practice.¹³

For information stored electronically, security measures may include password protection, automatic log offs, log file/electronic audit trails, firewalls, malware and virus protection, and ensuring the encryption of data for high-risk transmissions.

Electronic transfer of information

Electronic transfers of information are governed by the same privacy principles regarding the use and disclosure of that information.

Prior to sending any electronic communication GPs should ensure secure encryption protocols are in place and operating effectively. Although unlikely, email can be intercepted, retrieved and read by unintended recipients without authorisation.

For further information, refer to the RACGP’s resources on using email in general practice.

Patient communication via electronic mediums

The ease of and access to sending and receiving messages electronically means patients are using this medium more frequently to contact their general practice.

The Australian Health Practitioner Regulation Agency’s National Board policy for registered health practitioners: Social media policy¹⁴ is an adjunct to the Medical Board of Australia’s Good medical practice: A code of conduct for doctors in Australia and should be read concurrently. Its provisions apply to all registered health practitioners.

Your practice needs to address what content is appropriate to send and discuss via electronic messaging. A policy should be developed concerning the safe use of electronic communication for both practice and patients. It should be noted the full implications of the Privacy Act apply to any electronic communication, and online privacy breaches may be far more significant than the same breach using paper communication.

Patients are highly unlikely to send encrypted emails, so content within an email should be limited in scope. Due to the inherent insecure nature of the internet, health information should not be sent through unsecured channels. Where possible, secure message delivery should be used between practices with compatible encryption processes.

Secure destruction and de-identification

Unnecessary health information should be destroyed securely to prevent unauthorised access. Prior to destruction,consideration needs to be given to the relevant retention requirements under any applicable health legislation (refer to Section 3.3.3. Retention and destruction of medical records).

Secure deletion occurs where the records are no longer accessible through normal or forensic means. Ordinarily, deletion from a database does not totally erase the record nor does it remove the record from the hard disk or other storage medium. Unless data is erased and overwritten multiple times, the data may remain on the storage medium and be accessible forensically.

Deleting individual patient records may not be possible due to practice software limitations. Where relevant, advice should be sought from software vendors or other professionals.

More information on secure deletion of data can be found in the RACGP’s resource Effective solutions for e-waste in your practice.

Security policy

It is recommended your practice develops and implements an information security policy. Such a policy will assist in ensuring organisational systems used for processing and storing, or transmitting, personal information, are managed and protected appropriately.

To be effective, security policies must be known by practice staff and monitored and reviewed on a regular basis.³

From February 2018, the Privacy Act will impose a mandatory data breach notification scheme for ‘eligible data breaches’.

An eligible data breach is an authorised access, disclosure or loss of personal information by your practice resulting in serious harm to your patients.

Data breaches occur from time to time in any office environment. Typically, this will occur through the loss of an electronic storage device or paper records containing personal information.

Other examples of common breaches include:

• employees accessing personal information outside the scope of their employment
• paper records stolen from insecure garbage or recycling bins
• when sending a patient’s personal details and/or health information to the wrong recipient • a practice being deceived into improperly releasing the personal information of another person
• accidental or inadvertent disclosure.

If your practice believes an eligible breach occurred resulting in serious harm to patients, the mandatory notification law requires you to:

• prepare as soon as practicable a statement for the OAIC detailing the breach
• subsequently notify each affected patient of the content of that statement (if not practical, your practice must publish a copy of the statement on its website).

It is recommended your practice develops a robust data breach response plan to take timely and efficient actions.

An Individual Healthcare Identifier is a unique number assigned to healthcare consumers, healthcare providers and organisations providing healthcare services. For example, an Individual Healthcare Identifier is automatically allocated to all persons enrolled with Medicare and anyone who is issued with a Department of Veteran’s Affairs entitlement. It is available to all others who seek healthcare in Australia.

The use of healthcare identifiers instead of names is useful to protect privacy. However, the adopted identifier system used by your practice must not include any prohibited details. In addition, the identification number should not reveal any health information about the patient.

The legal and ethical principles governing health research using human participants make it clear that research participant consent is paramount.

Patients should understand what the proposed research involves, the ways in which their health information will be used or disclosed, the risks and benefits of agreeing to participate, and whether the research will be published.

Ethical obligations include ensuring the research design clearly collects informed consent, avoiding publishing identifiable information (unless participants have consented otherwise) and informing participants of the potential to be identified even from de-identified material.

For more information, refer to the NHMRC’s National statement on ethical conduct in human research 2007

Considerations when participating in health research

Patients should be made aware your practice may use de-identified health information for public health research. This may be done by way of an information sheet in the waiting room or noting consenting patients.

In the case of epidemiological research, it will generally be unnecessary to keep patient identifiable data sets. In any event, all research records should be de-identified at the earliest possible time consistent with the proper conduct of the research.

Interaction between the Privacy Act and health research

In addition to privacy obligations, practices must comply with all ethical requirements imposed for research conducted on human participants. It is important researchers understand they must comply with both privacy and ethical obligations (as appropriate).

For example, even where human research has approval to publish identifiable health information, practices must ensure all relevant Privacy Act requirements are satisfied before doing so. The safest manner of doing so is through obtaining written participant consent.

The option to use health information for a secondary purpose is also left open by the Privacy Act, if it is reasonable to expect this information will be used in health research (refer to Section 2.3.1. Use for primary and secondary purposes). This may include use for quality improvement activities within the practice.

Where there is any doubt as to whether the proposed research is directly related to the purpose for which the information was collected or within the reasonable expectations of the patient, written consent should be obtained.