Criterion 4.2.1 Confidentiality and privacy of health information
Our health service has a systematic approach to managing the confidentiality and privacy of patient health information.
► A. Our staff can describe how we ensure the confidentiality and privacy of patient health records (interview).
► B. Our staff can demonstrate how patient health records can be accessed by authorised staff at the time of consultation (interview, direct observation).
► C. Our staff can describe the processes we use to provide patients with access to their own health information (interview).
► D. If our health service participates in research, we can show evidence that this research has been approved by a Human Research Ethics Committee, according to National Health and Medical Research Council guidelines (document review).
► E. Our health service has a written policy for the management of patient health information (document review).
The patient health information held by health services within Australian prisons belongs to the relevant state or territory department of health or department of justice (Victoria only).
The Commonwealth Privacy Act 200146 states that a patient’s ‘personal health information’ includes a person’s name, address, account details and any health information (including medical or personal opinion) about the person. Sometimes details about a person’s medical history or other contextual information can identify them, even if no name is attached to that information and so this is still considered personal health information. Medical and other clinical staff have requirements relating to confidentiality in their professional registration and codes of conduct.
The RACGP Handbook for the management of health information in private medical practice (www.racgp.org.au)47 describes minimum safeguards and procedures that need to be followed in order to meet appropriate legal and ethical standards concerning the privacy and security of patient records and this information is also pertinent to health services in Australian prisons.
Health services are encouraged to become familiar with the relevant federal and state or territory privacy legislation as this will determine how health services manage patient health information. Further information is available from www.privacy.gov.au.48
The health service needs to have a documented policy for managing patient health information. This policy needs to outline:
- procedures for informing new patients about privacy arrangements (including how patients are informed about the use of their information for quality assurance, research and professional development)
- the range of people (eg. doctors and other members of the clinical team) who may have access to patient health records and the scope of that access
- procedures for patients to gain access to their health information
- how the health service gains a patient’s consent before disclosing their personal health information to third parties
- the process for providing health information to another health professional should patients request that be done
- the way the health service addresses complaints about privacy related matters
- information on the retention of patient health records
- the exceptions to the usual obligations for using or disclosing patient health information (eg. uses or disclosures required or authorised by law or those necessary to prevent or lessen a serious or imminent threat to someone’s life, health or safety)
- how the confidentiality and privacy of patient health information can be maximised if a prison officer is required to be present during a consultation.
Section 2.42 of the Standard guidelines for corrections in Australia49 outlines principles designed to support the confidentiality and privacy of patient health information as follows:
The confidentiality of medical information shall be maintained to preserve each prisoner’s individual entitlement to privacy subject to disclosures required or authorised by law. However, medical information may be provided on a ‘need to know’ basis:
- with the consent of the prisoner, or
- in the interest of the prisoner’s welfare, or
- where to maintain confidentiality may jeopardise the safety of others or the good order and security of the prison.
There may be tension between the need to respect the privacy and confidentially of a patient consultation and the need to manage any security or safety risks that the patient may pose to health professionals during a consultation. If third parties such as a prison officer need to be present during a consultation for safety or security purposes, health services need to make reasonable efforts to ensure the disclosure of personal health information to the third party is minimised (see Criterion 2.1.3: Presence of a third party).
Patients need to be informed that their health information will be treated as private and confidential and will only be released to third parties with their consent or on a ‘need to know’ basis in the interest of the prisoner’s welfare or where to maintain confidentiality may jeopardise the safety of others or the good order and security of the prison50 (see Criterion 1.2.1: Health service information). The health service, in conjunction with the relevant government department and/or prison management, needs to determine the types of risks or events that would warrant the transmission of confidential information without the consent of a patient. This may vary for different prisons depending on the prison population.
Patient consent is often provided at an early stage in the process of clinical care. This is a good time to ensure that patients develop a shared expectation about the use of their patient health information including the access that individual health service staff may have for the purpose of continuous and comprehensive care and the likelihood that such information will be used during quality improvement activities within the health service.
Research is an important component of general practice in Australia. Health services are encouraged to participate in research both within their own service and through reputable external bodies. Further information about research in health services, including the requirements for ethics approval, can be found in the NHMRC National statement on ethical conduct in human research51 (www.nhmrc.gov.au/_files_nhmrc/file/publications/synopses/e72-jul09.pdf).
The privacy and confidentiality of patient health information is equally important for health services that have paper based, hybrid (paper based and electronic), and solely electronic based systems of information management. Each system will pose different challenges to privacy and information security. Hybrid systems are more vulnerable to errors in information management as both the electronic and paper records need to be fully congruent.