Health information is given a higher level of privacy protection than other personal information. It includes information collected in connection with the provision of a health service, as well as information or opinions about the health or disability of an individual and a patient’s wishes about future healthcare. In short, think Secret Squirrel.
Protecting a patient’s privacy through good security measures and standardised business practices is critical to the operation of all medical and healthcare businesses.
Under Australian law, health professionals must take the necessary steps required to protect personal information from misuse, interference and loss and also from unauthorised access, modification or disclosure.
The Medical Board of Australia in its Good Medical Practice: A code of conduct for doctors states ‘a good doctor–patient partnership requires high standards of professional conduct … Among other principles, this involves protecting patients’ privacy and right to confidentiality, unless release of information is required by law or by public-interest considerations.’
What do businesses have to do?
- the kinds of personal/health information that the entity collects and holds;
- how they do it;
- how it is disclosed (eg. hosted with a cloud-based provider); and
- for what purpose it is used, disclosed, etc.
In addition, every medical and healthcare business should train its staff on privacy and other laws relating to the handling of patient/health information. The training should include details of the business’s obligations and who is responsible and accountable for the maintenance of confidentiality at each stage of the collection, handling, use and storage process. A Data Breach Response Plan in also required in case, heaven forbid, the business experiences a data breach.
What are my obligations?
Very briefly, some of the laws and rules that cover medical and healthcare patient privilege are as follows:
Privacy Act 1988 – All health care providers are required by law to preserve the integrity and collection of information given them. They must make sure their patients’ have exclusive access to their personal information (save for some exceptions), and have in place a system of governance and accountability in case of a request to access that information.
My Health Records Act 2012 created the ‘My Health Record’ system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient. Criminal and civil penalties apply if a person collects, uses, or discloses information from a My Health Record without authorisation.
The Healthcare Identifiers Act allows the use of the healthcare identifier for the purposes of communicating and managing health information about a healthcare recipient. It created the Healthcare Provider Directory to allow authenticated electronic communications to take place between healthcare providers.
The Good Medical Practice (The Code) is the code of conduct for doctors in Australia. It sets out the principles that characterise good medical practice and makes explicit the standards of ethical and professional conduct expected of doctors by their profession and the community.
The Health Practitioner Regulation National Law Act 2010 confers upon the Medical Board the power to suspend or impose restrictions on a practitioner’s registration as an immediate action pending full investigation for an alleged breach of duty with public interest.
The Health Records and Information Privacy Act 2002 (NSW) provides the guidelines for the safekeeping, use, and disclosure of health information by public and private health service providers in New South Wales. Complaints of mishandling may be sent to the NSW Information and Privacy Commission or NSW Health Care Complaints Commission. If the breach involves a public healthcare provider, complaints may be lodged with the Ombudsman.
If you have any queries about your obligations under the above laws, or have received a request from a patient to access their patient records, give us a call.