Patient Privacy Policy

Purpose

To ensure that all staff at Papamoa Beach Family Practice proactively, and with intent, ensure that the meet their individual and practice obligations with regards to protecting health information as per the current Privacy Act and Health Information Privacy Code. This policy also outlines the responsibilities of the Privacy Officer, of which all staff should be aware.

Scope

All employees are bound to adhere to this policy without exception.

Policy

Papamoa Beach Family Practice values and protects the privacy of all our patients and staff in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020.

To meet this commitment, we will take all practicable steps to:

• Ensure patients personal privacy is respected at all times.
• Protect our patients personal and health information including details of their medical history and disabilities.
• Be proactive in anticipating privacy issues.
• Comply with current New Zealand Legislation (including the Privacy Act 2020 and the Health Information Privacy Code 2020).

Privacy Officer Responsibilities

Dr Tessa Stewart (GP Director) is the Privacy Officer for Papamoa Beach Family Practice. (In her absence, privacy concerns will be managed by the Practice manager (Adele Hedges).

The Privacy Officer holds responsibility for ensuring:

• Patient information will not be disclosed to any third party without express permission of the patient or their legal guardian if applicable. The only exception to this is the release of patient notes by order from a New Zealand Court, New Zealand Police or Oranga Tamariki (Ministry for Children).
• Conversational discretion is exercised at all times when discussing patient information.
• Where possible patient anonymity is maintained unless otherwise indicated.
• Training is provided for new employees, and staff. All staff are updated on the principles of (and any changes to) the Health Information Privacy Code 2020 every 3 years.

Individual Staff Responsibilities

All individual staff are responsible for ensuring:

• Conversational discretion is exercised at all times when discussing patient information.
• They are aware of the principles of (and any changes to) the Privacy Act 2020 and Health Information Privacy Code 2020)

Purpose of collection of Health Information (Rule 1)

Health Information will not be collected unless:

• The information is collected for a lawful purpose connected with a function or activity of the medical practice (e.g. care and treatment, administration, training and education, monitoring) AND
• The collection of the information is necessary for that purpose.

Source of Health Information (Rule 2)

The information is collected directly from the individual concerned unless:

• the individual gives informed consent to collect information from a third party.
• the individual is unable to give consent, in which case information may be collected from the individual’s representative or, with their informed consent, from a third party.
• Compliance would prejudice the interests of the individual concerned, the purpose of collection or the safety of any individual.
• Compliance is not reasonably practicable in the circumstances.
• The collection is for the purpose of assembling a family or genetic history of an individual and is collected directly from the individual concerned.
• The information is publicly available information.
• The information will be used in a form in which the individual concerned will not be identified, or for statistical or research purposes and published in a form that could not reasonably be expected to identify the individual concerned.
• Non-compliance is necessary for certain public interests.

Collection of Health Information from Individual (Rule 3)

When collecting information, the practice will abide by Rule 3 of the Health Information Privacy Code 2020 and ensure the patients are aware of:

• The fact that the information is being collected
• The purpose for which the information is being collected.
• The name and address of the health agency collecting, and agency holding the information.
• Whether or not the supply of the information is voluntary or mandatory, and if mandatory, the specific law under which it is required.
• The consequences (if any) for that individual if all or any part of the requested information is not provided: and
• The rights of access to (Rule 6), and correction of (Rule 7), the health information provided.

Manner of collection of health information (Rule 4)

Health information will not be collected:

• By unlawful means or
• By means that are unfair or intrude to an unreasonable extent upon the personal affairs of the individual concerned, paying particular attention to:
• Physical privacy, especially when sensitive or intimate information is collected. The use of printed forms to collect sensitive information is preferable.
• Streamlining the collection process so that intimate questions are not repeatedly asked of the same individual in a short space of time.
• Some individuals may wish members of the whanau or family to be present or absent when particular information is collected.
• Relationships: sometimes individuals may prefer to give information to someone with whom they have developed a relationship, rather than other staff members.
• Express concerns or preferences of an individual should be respected.
• Cultural sensitivities of the individual concerned should also be respected.

Storage and Security of Health Information (Rule 5)

Papamoa Beach Family Practice will ensure that:

• Health and contact information is protected, by putting in place security safeguards that are reasonable in the circumstances, against loss, or unauthorised access, use, modification or disclosure or other misuse: and
• If it is necessary for the information to be given to a third party in connection with a service provided to the health agency, including any storing, processing or destruction of information, the agency has done everything reasonably within their power to guard against unauthorised disclosure or use of the information: and
• Where a document containing health information is not to be kept, it is disposed of in a manner that preserves the privacy of the individual.

This is achieved by:

• Securing and restricting access to file storage areas (located in the Reception Office and Practice Manager’s Office) and fax machine (located in Reception area with pages printed face down so details can not be seen by any person passing through the space who is not the intended recipient).
• Locking filing cabinets.
• Using (and regularly checking) programmed numbers to avoid misdialling, telephoning the recipient prior to transmission to ensure immediate uplift, careful checking of fax confirmation reports, logging and retaining fax activity histories and, where appropriate, using unique identifiers (usually NHI and date of birth) rather than names, to ensure transmission of confidential information about identifiable individuals does not occur.
• Items safely enter the postal system before they can be intercepted by third parties (post bag is stored at reception and collected directly by postal service on a regular basis), envelopes do not display health information on the outside of the envelope and that no unauthorised delivery is made to third parties. Incoming information via post is handed directly to reception team who store in their office until information can be processed and entered in to patient electronic file.
• Use of electronic referrals to external providers and specialists to reduce risk for misdialling, or unintended recipients viewing information.
• Taking precautions to protect records from fire, deterioration and other hazards.
• Requiring access keys and passwords to be physically secure (or keys/access rights changed/removed if not kept secure).
• Placing computer screens used for entering or changing health information out of sight of unauthorised personnel, use of screen savers, screen locks and privacy shields.

Access to personal health information (Rule 6)

Each staff member has a login code and password for the computer system and a separate log in name and password for the Patient Management System, restricting access to those who do not have permission to access patient notes.

The patient retains the right to access a copy of their own medical notes at any time provided the following conditions are met:

• Their identity has been verified
• They have completed appropriate request form. All consent forms will be scanned to the patients medical file for future reference.
• There is no legal reason why they may not request notes (particularly applies to carers or guardians).
• The staff member has checked with the Privacy Officer or the individuals registered GP before disclosing/providing any information (particularly where access to this information may cause undue distress without appropriate supports in place).

A copy of the notes will be available within two business days of the request being made (except in special circumstances where this cannot be reasonably achieved). The practice cannot withhold information on the grounds that money is owed by the patient.

Children under 16:

• Information can be refused to a person under 16 if the practice feels it is not in their best interest (this should be determined at the discretion of their primary GP).
• Parents do not automatically have the right of access to their children’s files.
• Take care in situations where the child may have attended without their parent, in these circumstances the child should be treated as an adult in terms of confidentiality.
• Generally, the practice will release information about a child to a custodial parent or legal guardian. Staff must check with the Privacy Officer or GP before disclosing any information.
• The appropriate request form must be completed by the relevant party. All consent forms will be scanned to the patients medical file for future reference.

Correction of health information (Rule 7)

Patients are entitled to:

• Request correction of the information.
• Request that there be attached to the information a statement of any correction sought but not made.

Accuracy of health information (Rule 8)

Papamoa Beach Family Practice will not use that information without taking such steps (if any) as are reasonable in the circumstances to ensure the information is accurate, up to date, complete, relevant, not misleading, and having regard to the purpose for which the information is proposed to be used.

Retention of health information (Rule 9)

• Health information will not be kept for longer than is required for the purposes for which the information may lawfully be used.
• The above does not prohibit any agency from keeping any document that contains health information the retention of which is necessary or desirable for the purposes of providing health services or disability services to the individual concerned.
• When an individual transfers out of the practice or passes away, files will be marked as ‘T’ or ‘D’ and inactivated on the Patient Management System. Records will be able to be accessed in the future by authorised individuals only but will not be visible to those without permission to access. If applicable, the individual will be advised to collect any paper records or these will be disposed of in the confidential documents bin.

Limits on use of health information (Rule 10)

Health information held for one purpose must not be used for another purpose unless:

• An individual authorises use for other purposes
• Directly related to original purpose
• Information sourced from a publicly available publication
• The information will not identify the individual
• The information is sought for research purposes
• The information is required for court proceedings.
• Authority under section 54.

Limits on disclosure of health information, within and outside of New Zealand (Rules 11 & 12)

Papamoa Beach Family Practice will not disclose information unless:

• Disclosure is to, or authorised by, the individual concerned.
• Disclosure is for a purpose for which the information was obtained or for a directly related purpose.
• Information sourced from a publicly available publication.
• Disclosure of information is to nominated person, principal caregiver or near relative. Patient information, test results, details of address etc must not be disclosed to people claiming to represent the patient without written permission to disclose this information and identity verification of the nominated party. If a patient wishes to nominate another party to have access to their records or results i.e. a husband, wife, partner, or parent, they must complete an ‘Information Release form’, which requires the patient to have a password that the nominated party will use to confirm their identity. Patients should be advised it is their responsibility to protect their password.
• Individual not identified.
• Disclosure is for verified and appropriate research purposes.
• Disclosure necessary to prevent or lessen a serious and imminent threat to public health or public safety or the life or health of an individual.
• Disclosure essential to facilitate sale of the business.
• Disclosure in relation to health education.
• Relevant to accreditation, quality assurance or risk assessment programmes.
• Authority under section 54.

Non-compliance may be necessary for maintenance of New Zealand law, enforcement of New Zealand law, protection or public revenue, conduct of New Zealand court proceedings, or managing drug seeker behaviours.

Unique Identifiers (rule 13)

Health practitioners are permitted by the Health Information Privacy Code to assign the National Health Index number to an individual. Staff at Papamoa Beach Family Practice must not assign any other unique identifier to an individual unless that is necessary to enable the agency to carry out its functions efficiently.

Security

The majority of patient information is stored within their individual file within the Medtech Evolution Patient Management System on the computer. Data is backed up to the PMS system throughout the day and then daily in the evening to data centres in Auckland and Tauranga. In the event of a computer upgrade, all data is backed up to the data centres prior to upgrade.
Hard copy files are located in a secure area (reception or practice manager offices) or secure offsite locked storage not accessible to patients or the public.

The Privacy Officer (Dr Tessa Stewart) is available to staff to answer any questions relating to privacy matters. If in any doubt please contact the office of the sitting Privacy Commissioner on 0800 803 909.

End Note

The health sector has a key role to play in supporting this collaboration because of its reach into the lives of all New Zealanders and our shared responsibility to promote and protect the health of all across the life course. In addition to the contents of this policy, all staff are expected to familiarise themselves with the following related documents and attached appendices.