Are you on top of patient privacy laws?
With National Privacy Awareness Week well under way, we ask healthcare providers, are you on top of patient privacy laws?
The Office of the Australian Information Commissioner’s (OAIC) national privacy week, puts privacy principles back in the spotlight, enforcing the vital importance of privacy, which is integral to building and maintaining people’s trust in both government agencies and businesses in their handling of personal information.
For healthcare, protecting patient privacy is one of the essential pillars of building a safe and cohesive health ecosystem, built on security and trust. And the OAIC’s patient privacy factsheets outline a number of key points you need to know about patient rights to their health information
Patient rights on privacy protection
Australian privacy law governs how healthcare providers can collect, use and share patient health information. These laws require healthcare providers to protect, correct and give patients access to their health information.
What is a patient’s ‘health information’?
Health information includes information about a patient’s health or a disability. It also includes any personal information collected while the patient is receiving a health service. This means that information such as a patient’s name, billing details, Medicare number, or personal details about race, sexuality or religion, may also be considered ‘health information’ in this context.
Health information is sensitive information and the Privacy Act places rules and restrictions as to how health service providers must manage it.
What is a ‘health service provider’?
Common examples of health service providers include doctors, pharmacists, dentists, private hospitals and nurses.
Allied services — such as counsellors, psychologists, chiropractors, disability services, physiotherapists, naturopaths, masseurs, gyms, weight loss clinics, child care centres and private schools – are also ‘health service providers’ in the context of collecting health information, and are bound by the same rules.
When can a provider collect patient health information?
Generally, a provider can only collect a patient’s health information when a patient gives consent. This information should only be collected directly from the patient, and should be only relevant to what’s required need to carry out the health service for that patient.
In some situations, a doctor may not need a patient’s consent, such as in an emergency. For example, if a patient is were unconscious and required urgent treatment, information about the patient could be collected from a family member or doctor without the patient’s consent.
What does the provider need to tell the patient about privacy?
The provider should ensure the patient understands why they are collecting the health information, how they will store and protect it, and if there are other parties they may disclose it to. They can tell this to the patient verbally or in writing. It is common practice to provide it to the patient with a written notice on forms the patient fills out.
All health services providers are required to have a privacy policy outlining how they handle health information. A patient can ask for the provider’s privacy policy at any time if they want more information about how they will handle their details.
How can a provider use patient’s health information? Can they share it with other parties?
A provider can use and share patient’s health information for the purpose for which they collected it, or for a directly related purpose you would reasonably expect.
Providers can also use or share patient health information for any other purpose with the patient’s consent, such as when giving referrals.
How do the Notifiable Data Breaches Scheme laws apply to healthcare?
Australian health service providers can no longer withhold information about cyber security breaches, with the Federal Government’s new Notifiable Data Breaches scheme now in full force.
The Privacy Amendment (Notifiable Data Breaches) Act 2017, now brings Australia into alignment with other countries, which have already had the same requirements for years.
The NDB scheme applies to all agencies and organisations, including health service providers, with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act).
This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
Under the new NDB scheme, entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.
The scheme applies to all kinds of personal and sensitive information. Examples include names, addresses, email addresses, genders, family members, financial information, tax file numbers and medical history.
What is MedicalDirector’s position on privacy?
At MedicalDirector, we recognise data privacy and the ethical sharing of data is a top priority, and are committed to meet the needs of our customers to have a safe and secure way of managing digital health records, in the interests of patient privacy to enable better healthcare for all.
For this reason, you will see us in the coming months start to elevate our conversation on how we are continuing to lift the bar on security, while maintaining our position as leading innovators in solutions that enable better clinical practice management, more personalised patient engagement and more flexible models of care.
