Privacy considerations
|
|
Establishing a practice privacy policy
|
|
Does your practice have an up-to-date, accurate, accessible and freely available privacy policy?
|
Your practice should have a policy that defines how to handle enquiries and complaints.
|
|
Quality and content of medical records
|
|
Does your practice have processes in place to ensure it holds accurate and up-to-date data at all times, including accurate health summaries and medication lists?
|
Your practice should develop a policy for everyone to understand and follow regarding how data is accurately collected and safely held.
|
|
Patient consent
|
|
Does your practice have a procedure for requesting and recording patient consent?
Do your practice staff understand the requirements surrounding this?
|
Consent might be sought for primary and secondary uses provided they are adequately stipulated. Although inferred consent might be relied on in certain circumstances, express consent (a signature or a documented positive response to a question) should always be sought.
|
|
Collecting health information
|
|
Does your practice have defined processes to inform patients of when, what and how the practice collects health information?
Does your practice have a process or policy in place to handle requests for anonymity or pseudonymity?
|
This might include manual procedures, practice policies or the ability of your systems and software to handle the tasks.
|
|
Patient access to personal information
|
|
Does your practice have procedures for handling patient requests for access to and correction of their information?
|
These procedures include assessment of requests, refusal procedures and administration fees.
|
|
Use and disclosure of personal information
|
|
Does your practice have a process for patients to opt in or out of marketing communications?
|
Ensure you communicate marketing options to your patients clearly and transparently.
|
|
Medical research
|
|
Does your practice have procedures for conducting health research, including participant consent and notification?
|
This includes procedures for how to deal with requests for the secondary use of data. Refer to the RACGP's Three key principles for the secondary use of general practice data by third parties resource for guidance and a decision-making support tool.
|
|
Quality improvement and continuing professional development
|
|
Does your practice have procedures to record occurrences of patient information use for quality improvement and continuing professional development?
|
Your practice’s privacy policy should disclose whether patient information is used for continuing professional development purposes and/or for quality-improvement activities.
|
|
Information security and data retention
|
|
Does your practice offer an information security level sufficient to ensure the safe and proper protection of the information it holds?
Does your practice have a process for document classification, retention, destruction and de-identification of patient information?
|
This will provide documented evidence of good practice in information security, including the secure disposal and de-identification of information and proper data retention periods.
|
|
Healthcare provider identification
|
|
Does your practice have a process for identifying the need for, and recording of, the consent of a healthcare practitioner?
|
This occurs when sharing information identifies the practice even though the patient health information might be de-identified.
|
|
Healthcare identifiers
|
|
Do your practice staff understand the restrictions on use of healthcare identifiers?
|
Educate staff on the requirements of the Health Identifiers Act 2010 and other government initiatives that your practice is engaged in.
|
|
Mandatory data breach notification plan
|
|
Does your practice have a data breach response plan?
|
Your practice should have a regularly tested emergency response plan to deal with data breaches and a plan outlining how to, and who should, communicate a data breach.
|