All staff must comply with the following rules when collecting, using, storing or disclosing information about patients’ health or the treatment that they are receiving.
All staff have received training in the HIPC and this policy is part of compulsory reading for all new staff as part of orientation.
A copy of the HIPC is held on site and support information is available to the privacy officer.
Collecting health information
When you collect health information from patients you must:
- only collect the information for the purpose of treating the patient or for some other legal purpose;
- collect the information directly from the patient unless he/she has consented to you collecting the information from someone else or one of the other exceptions to this rule applies; and
- let the patient know why you are collecting the information, who will have access to the information and that the patient is entitled to access and correct the information. You will not need to tell patients this if you have collected the same type of information from them before.
Using health information
Before using patients’ health information you must do what you can to make sure that the information is accurate and up to date. The steps that you will need to take will vary depending on how old the information is and the risk of relying on inaccurate information in the circumstances.
You must only use patients’ health information for the purpose for which you have collected the information unless the patient has consented to you using the information for another purpose, or one of the other exceptions in the Health Information Privacy Code applies. You must consult our practice’s Privacy Officer before using a patient’s health information without the patient’s consent.
Storing health information
You must ensure that the health information that our practice holds is stored securely so that it cannot be accessed or used by unauthorised people. (we use individual passwords to access patient data on the computer, only clinical staff can access clinical information, paper files remain closed and on the filing system in secure office space and old or archived files are kept securely for 10 years in the loft)
By the end of the year, all files will be stored out of site in a secure space on site.
When you transfer patients’ health information to someone else, you must do what you can to prevent unauthorised people from accessing or using the information.
Electronic transfer is utilized in most situations (GP2GP, EDI) for notes transfer between practices . There is a policy for tracking transferred notes (reminder tasks, faxed confirmation of receipt) in place to ensure paper records are as safe as possible once they have left the practice.
Our practice can keep patients’ health information for as long as we need the information to treat patients and must keep patients’ health information for a minimum of 10 years from the date that treatment was last provided.
Our practice must destroy patients’ health information in a way that ensures the confidentiality of the information. (this is usually by document shredder for paper information)
Patients are entitled to ask our practice to confirm whether we hold information about them and to access the information unless we have lawful reasons for withholding the information.
Patients are also entitled to ask our practice to correct the information that we hold about them.
You must assist patients who ask to access their health information.
Disclosing health information
You must not disclose a patient’s health information without his/her consent (or the consent of his/her representative) unless you reasonably believe that it is not possible for you to get the patient’s consent and:
- the disclosure is for the purposes of the patient’s treatment (e.g. a referral);
- the disclosure is to the patient’s caregiver and the patient hasn’t objected to the disclosure;
- it is necessary for you to disclose the information to prevent a serious and immediate threat to the patient or another person’s life or health;
- the disclosure is made for the purposes of a criminal proceeding;
- the patient is, or is likely to become dependent on a drug that you need to report under the Misuse of Drugs Act or the Medicines Act;
- the disclosure is to a social worker or the police and concerns suspected child abuse;
- the disclosure is made by a doctor to the Director of Land Transport Safety and concerns the patient’s ability to drive safely.
There are other situations where disclosure without consent may be justified, such as disclosing information to agencies such as CYFS and the Police. You must discuss any proposed disclosure with our practice’s Privacy Officer before disclosing the information.
You must consult with our practice’s Privacy Officer before disclosing a patient’s health information without his/her consent. (Dr Mary Daly)
Please contact our practice’s Privacy Officer if you have any queries about this policy.