Privacy considerations
|
Establishing a practice privacy policy
|
Does your practice have an up-to-date, accurate, accessible and freely available privacy policy?
|
Your practice should have a policy that defines how to handle enquiries and complaints.
|
Quality and content of medical records
|
Does your practice have processes in place to ensure it holds accurate and up-to-date data at all times, including accurate health summaries and medication lists?
|
Your practice should develop a policy for everyone to understand and follow regarding how data is accurately collected and safely held.
|
Patient consent
|
Does your practice have a procedure for requesting and recording patient consent?
Do your practice staff understand the requirements surrounding this?
|
Consent might be sought for primary and secondary uses provided they are adequately stipulated. Although inferred consent might be relied on in certain circumstances, express consent (a signature or a documented positive response to a question) should always be sought.
|
Collecting health information
|
Does your practice have defined processes to inform patients of when, what and how the practice collects health information?
Does your practice have a process or policy in place to handle requests for anonymity or pseudonymity?
|
This might include manual procedures, practice policies or the ability of your systems and software to handle the tasks.
|
Patient access to personal information
|
Does your practice have procedures for handling patient requests for access to and correction of their information?
|
These procedures include assessment of requests, refusal procedures and administration fees.
|
Use and disclosure of personal information
|
Does your practice have a process for patients to opt in or out of marketing communications?
|
Ensure you communicate marketing options to your patients clearly and transparently.
|
Medical research
|
Does your practice have procedures for conducting health research, including participant consent and notification?
|
This includes procedures for how to deal with requests for the secondary use of data. Refer to the RACGP’s Secondary use of general practice data resource for guidance and a decision-making support tool.
|
Quality improvement and continuing professional development
|
Does your practice have procedures to record occurrences of patient information use for quality improvement and continuing professional development?
|
Your practice’s privacy policy should disclose whether patient information is used for continuing professional development purposes and/or for quality-improvement activities.
|
Information security and data retention
|
Does your practice offer an information security level sufficient to ensure the safe and proper protection of the information it holds?
Does your practice have a process for document classification, retention, destruction and de-identification of patient information?
|
This will provide documented evidence of good practice in information security, including the secure disposal and de-identification of information and proper data retention periods.
|
Healthcare provider identification
|
Does your practice have a process for identifying the need for, and recording of, the consent of a healthcare practitioner?
|
This occurs when sharing information identifies the practice even though the patient health information might be de-identified.
|
Healthcare identifiers
|
Do your practice staff understand the restrictions on use of healthcare identifiers?
|
Educate staff on the requirements of the Health Identifiers Act 2010 and other government initiatives that your practice is engaged in.
|
Mandatory data breach notification plan
|
Does your practice have a data breach response plan?
|
Your practice should have a regularly tested emergency response plan to deal with data breaches and a plan outlining how to, and who should, communicate a data breach.
|