Protect Your Practice

Protecting patient privacy and confidentiality pertaining to medical records and health information is essential, and as a practice manager you need to ensure the practice adheres to legislation outlining privacy requirements.

Privacy obligations in relation to patient records and health information

Medical practices and medical practitioners in all states and territories must comply with the Commonwealth’s Privacy Act 1988, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the Australian Privacy Principles (APPs). From March 2014, 13 APPs were introduced.

Part 1: - Consideration of personal information (PI)

APP 1 – Open and transparent management of PI

APP 2 – Anonymity and pseudonymity

Part 2: - Collection of PI

APP 3 – Collection of solicited PI

APP 4 – Dealing with unsolicited PI

APP 5 – Notification of collection of PI

Part 3: - Dealing with PI

APP 6 – Use or disclosure of PI

APP 7 – Direct marketing

APP 8 – Cross-border disclosure of PI

APP 9 – Adoption, use or disclosure of government related identifiers

Part 4: - Integrity of PI

APP 10 – Quality of PI

APP 11 – Security of PI

Part 5: - Access to and correction of PI

APP 12 – Access to PI

App 13 – Correction of PI

This guide reflects Commonwealth privacy laws. In addition Victoria, NSW and ACT have their own legislation governing privacy obligations with which medical practitioners must also comply.

For further information on the privacy requirements in your state or territory, refer to the Avant fact sheet, ‘Privacy basics – patient records and health information’.

** Whilst our first thoughts about privacy relate to our patients, we also need to consider our requirements under the Act to information held about staff, contractors and employees.

Improve your practice

The practice should aim to ensure that health and other sensitive personal information collected during the course of a patient’s relationship with the practice and its staff remains secure and is used and disclosed for any primary or secondary purpose for which it was collected, save for any legally permissible exemptions (see below).

All employees and contractors should sign a confidentiality agreement with the practice to ensure they are aware of their obligations around confidentiality and provide the practice with protection should a breach occur.

A socail media policy should be in place to protect the staff privacy and potential employment issues.

The Australian Privacy Principles should be included in the induction program for all practitioners and staff in the practice.

You should implement practices, procedures and systems that reflect the five parts associated with the 13 APPs as outlined above.

This process should be in accordance with Australian Privacy Principles and any applicable State and Territory privacy legislation. Outlined below is a summary of the 13 APPs and how they may affect your medical practice. You should familiarise yourself with the complete requirements and obligations that you may have to your patients.

1 - The practice is required to manage personal information in an open and transparent way and have a clearly expressed and up-to-date policy (the APP privacy policy) about the management of personal information by the entity. The APP privacy policy must contain the following information:

  • the kinds of personal information that the entity collects and holds
  • how the entity collects and holds personal information
  • the purposes for which the entity collects, holds, uses and discloses personal information
  • how an individual may access personal information about the individual that is held by the entity and seek the correction of such information
  • how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint
  • whether the entity is likely to disclose personal information to overseas recipients
  • if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

2 - Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with the practice in relation to a particular matter. This does not apply if:

  • it is impracticable for the practice to deal with individuals who have not identified themselves or who have used a pseudonym.

3 - The practice must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity's functions or activities and the individual consents to the collection of the information.

4 - If the practice receives personal information and the practice did not solicit the information;the practice must, within a reasonable period after receiving the information and within the scope of the APP requirements, destroy the information or ensure that the information is de-identified.

5 - At or before the time or, if that is not practicable, as soon as practicable after, the practice collects personal information about an individual, the practice must take such steps (if any) as are reasonable in the circumstances:

  • to notify the individual of such matters as are reasonable in the circumstances; or
  • to otherwise ensure that the individual is aware of any such matters.
    1. why information is collected.
    2. how information may be accessed.
    3. if information is to be disclosed.
    4. how the patient can complain about possible breaches.
     

6 - If the practice holds personal information about an individual that was collected for a particular purpose (the primary purpose), the practice must not use or disclose the information for another purpose (the secondary purpose) unless:

  • the individual has consented to the use or disclosure of the information
  • the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
  • if the information is sensitive information — directly related to the primary purpose
  • if the information is not sensitive information — related to the primary purpose.

7 - If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.

8 - Before the practice discloses personal information about an individual to an overseas recipient):

  • who is not in Australia or an external Territory; and
  • who is not the entity or the individual

the practice must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

This would relate to the practice being aware of items such as:

  • where any off-site data back-up is maintained
  • where SMS reminders are sent from/routed by any services outside Australia.

If you are going to continue to use such services, you should ensure that you acquire a legal document that includes total indemnity for the practice to cover any breaches caused by or due to the service providers.

9 - An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless:

  • the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order.

An organisation must not use or disclose a government related identifier of an individual unless:

  • the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation's activities or functions
  • the use or disclosure of the identifier is required or authorized by or under an Australian law or a court/tribunal order.

10 - The practice must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information the practice collects is accurate, up to date and complete.

11 - . If the practice holds personal information, the practice must take such steps as are reasonable in the circumstances to protect the information:

  • from misuse, interference and loss
  • from unauthorized access, modification or disclosure.

If the practice holds personal information about an individual (including employees); and

  • the practice no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this schedule; and
  • the information is not contained in a Commonwealth record.
  • the practice is not required by or under an Australian law, or a court/tribunal order, to retain the information;
  • the practice must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

12 - If the practice holds personal information about an individual, the practice must, on request by the individual, give the individual access to the information. There are circumstance that would exempt a practice from providing access and these would include:

  • the practice reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety
  • giving access would have an unreasonable impact on the privacy of other individuals
  • the request for access is frivolous or vexatious
  • the information relates to existing or anticipated legal proceedings between the practice and the individual, and would not be accessible by the process of discovery in those proceedings
  • denying access is required or authorized by or under an Australian law or a court/tribunal order.

13 - If a practice holds personal information about an individual; and either:

  • the practice is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
  • the individual requests the entity to correct the information;
  • the practice must take such steps (if any) as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.

Where practices receive requests in relation to the above APPs, it is generally accepted that the practice will respond within 30 days of the request being received.

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 was passed in Parliament on 29 November 2012. The Act came into effect on 12 March 2014. The reforms introduce a single set of privacy principles called the Australian Privacy Principles (APPs) and a number of changes to how personal information is handled, including when it can be used for direct marketing purposes and sent overseas.

For more information, please read:


As well as the obligations under the Privacy Act, there are practical elements that you can utilise in the practice to promote privacy and confidentiality:

  • physical layout of reception to provide sound barriers and reduced view of computer screens ambient background noise or walls to reduce sound and conversations between staff/patients being overheard
  • appropriate sound proofing between internal walls to maintain privacy in consultation/treatment rooms
  • staff awareness as to volume and location of their conversations with patients. Especially when on the telephone and using language that may identify the patient.
  • access to private area to conduct sensitive conversations
  • access to quiet area for upset/grieving patients.

If you breach a patient’s privacy you should contact Avant’s Medico-Legal Advisory Service on 1800 128 268 or the AAPM – AHIG advisory service on (03) 9280 8061 for advice.

State and Territory privacy commissions/enforcement bodies

 

Next page

Managing occupational stress
  • Taking care of yourself and your doctors
  • Improve your practice
  • References

This publication is proudly brought to you by Avant Mutual Group. The content was authored by Brett McPherson, reviewed by Colleen Sullivan and Avant Mutual Group.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practice proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2014.

IMPORTANT: Professional indemnity insurance products and Avant’s Practice Medical Indemnity Policy are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. The information provided here is general advice only. You should consider the appropriateness of the advice having regard to your own objectives, financial situation and needs before deciding to purchase or continuing to hold a policy with us. For full details including the terms, conditions, and exclusions that apply, please read and consider the policy wording and PDS, which is available at www.avant.org.au or by contacting us on 1800 128 268. Practices need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation and you should contact your insurance broker for more information. Cover is subject to the terms, conditions and exclusions of the policy. Any advice here does not take into account your objectives, financial situation or needs. You should consider whether the product is appropriate for you before deciding to purchase or continuing to hold a policy with us.