Health Privacy It’s My Business
description
Transcript of Health Privacy It’s My Business
2013 1
Health PrivacyIt’s My
Business
An Introduction to theHealth Records Act
2001 (Vic)Angela Palombo
Legal & Policy Officer17 April 2013
2013 2
Impact of privacy laws
Privacy laws provide people with more control over how organisations handle their personal information.
Privacy laws should not stop an organisation carrying out their core business, but may mean changes to the way personal information is handled.
Privacy laws promote openness and transparency in the handling of personal information.
The right to privacy has to be balanced against the necessary flow of information for provision of services
2013 3
Privacy protection is a balancing act:
Maximising the level of control that individuals have over their personal information
while ensuring that the right information is available to the right people at the right time in the right way to enable necessary operations and services.
2013 4
Privacy for Victorians
Victoria: Health Records Act 2001 Information Privacy Act 2000 - applies to all
personal information (except health information) that is collected or held by –
the Victorian public sector; and organisations funded by the public sector.
Commonwealth: Privacy Act 1988 - extended to private sector
from 21 December 2001
2013 5
Office of the Australian Information
Commissioner Began operation 1 November 2010 The Australian Information
Commissioner is the head of the Office, supported by the Privacy Commissioner and the FOI Commissioner
Independent oversight of privacy and FOI & advising Government on broader government information management
2013 6
Key Elements
Health Privacy Principles (HPPs) - applicable to public and private sectors
Right of access to personal health information in the private sector- Breen v Williams, High Court
2013 7
Three important aspects of Privacy:
1. Confidentiality2. Data protection3. Consumer choice
2013 8
Objects of the Act (s.6)
To ensure responsible handling of health information To balance public interest in protecting
privacy with public interest in legitimate use of information
To enhance ability of individuals to be informed about their health care
To promote provision of quality health services
2013 9
Who is covered by the Act?
Most organisations hold health information about individuals.The Act covers: health service providers; any other person/organisation that collects/handles personal health information. (e.g. schools, employers, churches)
2013 10
What is health information?
For health service providers it is all identifying personal information collected to provide a health service;
For non health service providers it is all identifying personal information about the health or disability of an individual.
2013 11
Personal information means:
Information or opinion about an individual whose identity is apparent, or can be reasonably ascertained
Does not have to be true Does not have to be recorded Includes that forming part of a
database
2013 12
Minors
No change to current common law situation: A minor is capable of giving informed
consent when they achieve sufficient understanding and intelligence to enable him or her to understand fully what is proposed
No set age, must be assessed on a case by case basis
2013 13
Deceased individuals
The Act applies in relation to the health information of a deceased individual who has been dead for 30 years or less in the same way it applies to the health information of a living person.
2013 14
Deceased individuals
Legal representative can exercise rights on behalf of the deceased individual.
Legal representative defined as executor of will or administrator of the estate.
Any consent by legal representative is void if s/he knows that action does not accord with wishes expressed by an individual whilst still alive.
2013 15
Impact of other legislation
The Health Records Act does not override other legislation.
Existing provisions in other statutes governing the confidentiality, use and disclosure of health information and those that regulate access to certain kinds of personal information continue to apply.e.g. Health Services Act, s.141 Children, Youth and Families Act 2005
Public Health & Wellbeing Regulns 2009 (some in coded form)
2013 16
Health Privacy Principles
1. Collection2. Use & Disclosure3. Data Quality4. Data Security &
Retention5. Openness6. Access & Correcti
on7. Identifiers
8. Anonymity9. T
rans border Data Flows
10.Transfer / closure of practice of health service provider
11.Making information available to another health service provider
2013 17
A contravention of the HPPs is:
“an interference with the privacy of an individual” and could give rise to a complaint to the Health Services Commissioner.
Outcomes for non compliance include:1. Complaints2. Compliance notices – for serious or
persistent breaches
2013 18
Consent Individual has the capacity to consent Voluntary Informed Specific Current
2013 19
HPP 1: Collection
Only collect health information necessary for the performance of your functions or activities
Generally need consent to collect health information (either express or implied)
Provide a ‘collection statement’ to notify those you collect from about what you do with the information and that they can gain access to it.
2013 20
When collecting personal information,
tell the person: who is collecting the information; what it will be used for; whether the collection is required by law; who else the information will usually be disclosed to; what the main consequences, if any, are for them if they do not provide the information. how they can get access to the information.
2013 21
HPP 2: Use & Disclosure
Only use or disclose health information for the primary purpose for which it was collected or a directly related secondary purpose the person would reasonably expect.
Other use/disclosure allowed in certain circumstances – includes with consent, or as required by law, eg auditing by Victorian Workcover Authority or TAC
2013 22
Public interest disclosure without
consent
HPP 2.2(h) : disclosure is permitted if the provider reasonably believes the disclosure is necessary to prevent-(a) a serious & imminent threat to an individual’s life, health, safety or welfare, or(b) a serious threat to public health, public safety or public welfare
2013 23
Case Study (1) – Psychiatrist writing to referring GP
: Collection & Disclosure A GP refers a patient to a psychiatrist. After visiting the
psychiatrist, the patient visits the GP and realises that the psychiatrist has revealed all her conversation with him in a letter to the GP.
The patient is upset- she didn’t realise this would happen & did not want the GP to know some of the information. Did any breach of the Health Records Act occur?
Issues to consider: HPP 1.4 - Information given at the time of collection HPP 2.2(a) - Use and disclosure of health information
2013 24
The eHealth record system
From July 2012, Australians can choose to register for their own personally controlled electronic health (eHealth) record.
The eHealth record system provides access to key health information drawn from a patient’s health records. With the patient’s consent, this information can be quickly shared between healthcare organisations and other healthcare professionals involved in the patient’s care.
2013 25
The eHealth record system
Over time, an eHealth record will grow to contain a summary of a patient’s key healthcare events and activities, including medical history, allergies & current medications. The system is designed to be integrated into existing local clinical information systems.
An individual can control their own eHealth record, including by choosing to restrict which healthcare provider organisations can access it & what information is included.
2013 26
The eHealth record system
The PCEHR Act limits when and how health information included in an eHealth record can be collected, used and disclosed.
Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy.
2013 27
Does an eHealth record replace existing records?
From ehealth.gov.au: FAQs for healthcare professionals: eHealth records will not replace existing medical records.
Healthcare professionals will continue to take and review clinical notes. More detailed patient information will be available on local clinical information systems, as per current practice.
The eHealth record system provides an active online record that follows patients as they move through Aust’s health system, and includes important clinical and treatment information.
It is expected that, in the future, the availability of eHealth records will save healthcare professionals valuable time.
2013 28
HPP 3: Data Quality
Take reasonable steps to ensure the health information you hold is:
accurate, complete, and up-to-date relevant to the functions you perform
2013 29
HPP 4: Security & Retention
An organisation must take reasonable steps to protect the health information it holds from misuse, loss, unauthorised modification or disclosure.
A health service provider must keep health information for a minimum of 7 years since the last occasion a health service was provided. For a child the information must be kept until the child turns 25 years or 7 years after last contact, whichever is the later.
Public sector organisations retain records in accordance with the Public Records Act.
2013 30
Management of Personal Information
Physical security might include:locking filing cabinets; restricting access to certain areas;positioning computer terminals so
they cannot be seen by unauthorised personnel; and
questioning unaccompanied or unrecognised visitors.
2013 31
Management of Personal Information
Operational Security might include: rules on levels of access; audit trails to detect unauthorised access; changing of passwords at frequent
intervals; avoiding collecting information in public
waiting rooms where possible; Use of fictitious information for training;
and procedures for dealing with employees
who leave.
2013 32
Management of Personal Information
Security of transmission: programming fax machines to avoid
risk of misdialling; retaining fax activity history reports; controlling the type of information
sent; and telephoning intended recipient prior
to transmission.
2013 33
Management of Personal Information
E-mail: guidelines for use of e-mail; encrypting files; blind carbon copying address details; and e-mail privacy notices. Royal Australian College of General Practitioners'
"Computer and Information Security Standards" published October 2011: http://www.racgp.org.au/ehealth/ciss
Post: take care not to display contents of letters
through window envelopes.
2013 34
HPP 5: Openness
Organisations must have a document with clearly expressed policies on:
• how they manage the health information they hold; and
• the steps an individual may take to obtain access to health information about them held by the organisation
Make privacy policy available to all who ask
2013 35
HPP 6: Access & Correction
Individuals have a right to seek access to heath information about them held in the private sector.
They also have a right to correct it if it is inaccurate, incomplete, misleading or not up-to-date.
The FOI Act continues to give individuals a right of access to health information about themselves held by public sector organisations.
2013 36
Mandatory limits to access
Access must not be granted where: an organisation believes on reasonable
grounds that granting access would pose a serious threat to the life or health of the person making the request or any other person; or
the information was given in confidence by another person (but not a health service provider), unless that person consents.
2013 37
HPP 10: Transfer/closure of practice of a health service
provider Health service providers whose business or practice
is being sold, transferred or closed down, without the individual continuing to provide services, must give notice of the transfer or closure to service users. Letter to current clients, notice at the premises and advertisement in local paper.
Aims to encourage individuals to apply for their health information while it is still readily available.
Enables individuals to provide their current treating practitioner with their existing health information.
2013 38
HPP 11: Making information available to another health
service provider
If you’re a health service provider, you must make health information relating to the individual available to another health service provider if requested by the individual.
This must be done as soon as practicable.
2013 39
Exemptions The judiciary and quasi-judicial bodies
(Courts & tribunals) when exercising their judicial or quasi-judicial functions;
Genuine news activities carried out by organisations whose dominant function is disseminating news;
Information relating to personal, family or household affairs.
2013 40
HSC Complaints Process
Many people make enquiries without lodging a formal complaint.
Approx 50% of telephone inquiries result in lodgement of a complaint.
Complaints must be received in writing. A person must have standing to make a
complaint. Consent is obtained from complainants to
send their complaint to the respondent.
2013 41
HSC Complaints Process (2)
Approx 90% of complaints are resolved informally.
Approx 10% of complaints go to conciliation.
If a complaint is not resolved through conciliation the complainant may request the complaint be referred to VCAT for hearing.
2013 42
Case study (2)- Second opinion disclosed to first
doctor A man has a surgical procedure of a cosmetic nature.
Is dissatisfied & obtains a second opinion from another surgeon
The man discovers the first surgeon had obtained a copy of the reviewing surgeon’s letter to the referring GP
-HPP 1.4: Collection statement-HPP 2.1: Disclosure permitted for primary purpose for which the information was collected-HPP 2.2(a) Disclosure based on patient’s reasonable expectation
2013 43
Case study (3)- Disclosure to work
colleagues A woman complained her employer disclosed to
staff members she was absent from work because she was on stress leave and seeing a psychiatrist.
The employer stated he thought it was necessary in order to make staff aware of the need to cover her role until her return.
After discussions with OHSC, employer accepted it had not been necessary to tell other staff the reasons for the absence. He apologised to the woman who was satisfied with this outcome.
2013 44
Key points
Privacy laws do not prevent the legitimate flows of information necessary for the provision of a health service.
Become familiar with the privacy principles and apply them to the way you handle personal information.
2013 45
Key points
Collect only the information you need. Advise people why you need the information
and how it will be used and disclosed. Use and disclose for the primary purpose of
collection unless the person consents or an exemption applies.
Take steps to ensure the quality of the information.
Secure the information.
2013 46
Health Records Act 2001Online training now
available Is your organisation regulated by
the Health Records Act 2001 (Vic)? Do you or your staff need training?
The Office of the Health Services Commissioner has contracted e3Learning Solutions to operate a low-cost online training course available to organisations regulated by the Health Records Act 2001 (Vic).
2013 47
Online training
The training course:• is free;• is suitable for staff of all organisations regulated by the Act; • provides basic training for staff and organisations regulated by the Act; and• includes the production of a Certificate of Completion for staff who successfully complete the course.
2013 49
Health Services Commissioner
Contact Details:Level 30 570 Bourke Street MelbourneTel: 03 8601 5222Toll free: 1800 136 066Website: www.health.vic.gov.au/hscEmail: [email protected]: (03) 8601 5219TTY: 1300 550 275DX: 210182