Tuesday, May 03, 2016

Privacy Of Health Information Hits The Headlines Again. Some GPs May Not Be As Careful As They Should Be But Most Are.

This appeared a few days ago:

Some Australian GPs found to be putting your privacy at risk

April 28, 20166:44pm
Sue Dunlevy News Corp Australia Network
YOUR health information could be at risk with the nation’s privacy watchdog finding major holes in the way GP practices manage patient privacy.
One in ten GP clinics have no privacy policy a review by the Acting Information Commissioner Timothy Pilgrim has found.
And many GPs who did have a privacy policy were found to have major holes in their systems.
“A recent assessment of GP practices by the Office of the Australian Information Commissioner (OAIC) suggests that many practices could use more practical support to improve or establish privacy policies,” Mr Pilgrim said.
The commission last year conducted an assessment of the privacy policies of 40 GP practices from across Australia.
Four practices had no privacy policy.
While 36 GP clinics had a privacy policy only two appropriately advised patients how to make a complaint about breaches of their privacy, the review found.
Only two clinics advised patients how they could request a correction to their personal information and only one advised patients how they could request access to their personal information.
The holes in the privacy system take on greater importance as the government pushes ahead with plans to automatically issue every Australian with an electronic health record managed by their GP.
Privacy Foundation spokesman Bernard Robertson-Dunn says the Information Commissioner’s report is very concerning.
 “GPs are the people who have access to and control the most private of information that applies to Australians,” he said.
“Doctors should be at the forefront of privacy concerns,” he said.
He says the tougher penalties the government applied to its new electronic MyHealth record should also apply to a GPs own patient records.
More here:
The release from the Privacy Commissioner that stimulated the article said the following:

Improving privacy in Australia’s general practices a joint effort

Thursday, 28 April 2016
Acting Australian Information Commissioner, Timothy Pilgrim, has today welcomed a series of actions by Australia’s peak medical groups to improve privacy practices at Australia’s GP clinics.
“A recent assessment of GP practices by the Office of the Australian Information Commissioner (OAIC) suggests that many practices could use more practical support to improve or establish privacy policies,” said the Commissioner.
“The OAIC appreciates that many GP practices are small to medium sized businesses and so practical, industry-relevant support is an effective way to improve privacy outcomes for practices and patients.”
“So I welcome the fact that the Australian Medical Association (AMA), the Royal Australian College of General Practitioners (RACGP), the Australian College of Rural and Remote Medicine (ACRRM) and the Australian Association of Practice Management (AAPM) have come together with the OAIC to provide practical support to their members to deliver open and transparent privacy policies within their practices.”
The OAIC regulates Australia’s Privacy Act1988 and last year conducted an assessment of the privacy policies of 40 GP practices from across Australia. When the assessments revealed room for improvement, medical peak bodies were approached to help deliver training and practical solutions to assist GP practices.
Chair of the AMA Council of General Practice, Dr Brian Morton, said that “privacy is fundamental to the trusted relationship between a doctor and a patient and practices go to great lengths to protect this. The assessment report shows that some may need more guidance on how to develop transparent and robust privacy policies. The AMA is actively helping them with this.”
The Royal Australian College of General Practitioners President, Dr Frank R Jones, said the report was a timely reminder for general practices to review their privacy policies. “The RACGP provides useful resources to general practices to make adherence to the rules straightforward and our goal is to improve the practical help and support we already provide.”
Danny Haydon, President of AAPM, confirmed that Practice Managers have a key role in ensuring their practice has an easily accessible privacy policy in place and that AAPM assists practice managers to implement this through a range of resources.
ACRRM President Professor Lucie Walters said, “rural and remote doctors are keenly aware of the importance of privacy issues, especially given the circumstances of rural medical practice. ACRRM will be doing as much as possible to support its members to ensure that both the documentation and implementation of practice privacy policies are consistent with the requirements of the Privacy Act”.
Commissioner Pilgrim emphasised that a collaborative approach to create strong privacy governance in Australian businesses was always the OAIC’s preferred approach.
“The OAIC works constructively with businesses and the wider community to build an integrated approach to privacy compliance,” said the Commissioner.
“Thanks to the efforts of these peak bodies and the OAIC’s team, that preferred approach will lead to improved privacy management for Australian GPs and their patients.” 

About the report

The report focused on assessing the privacy policies of 40 General Practice Clinics against Australian Privacy Principle (APP) 1 under the Privacy Act 1988. APP1 has a focus on open and transparent management of personal information.
The purpose of the assessment was to assist GP clinics to improve or enhance their existing privacy policy, taking into account the requirements under the Privacy Act 1988 (Privacy Act).The assessment aimed to enhance the GP clinics’ understanding of privacy and their obligations under the Privacy Act.
It examined the content, layout and availability of the privacy policy but did not consider how the information handling procedures set out in the privacy policy were implemented in practice. This report does not make conclusions about broader privacy practices of GP clinics beyond the scope described above.
The General Practice Clinics APP 1 Privacy Policy assessment report was conducted under Section 33C of the Privacy Act 1988.
Here is the link:
Most useful in the full report was the following:

APP 1.4 — Content: eHealth

Background

3.1           The assessment also aimed to enhance the GP clinics’ understanding of privacy in the context of their obligations under the My Health Records Act and the HI Act.
3.2           Therefore, as part of the assessment the OAIC reviewed the privacy policies to ensure GP clinics adequately covered the use of the My Health Record system and their collection and use of IHIs. The assessment also looked at the use of electronic transfer of prescriptions (eTP) services.

Commentary and recommendations

3.3           31 of 36 GP clinics had signed a PCEHR Participation Agreement. Only one of these GP clinics specifically referred to the collection, use or disclosure of personal information by GPs through the use of the My Health Record system.
3.4           33 of 36 GP clinics stated that they held IHIs. 12 privacy policies specifically referred to the collection, holding, use or disclosure of IHIs.
3.5           No privacy policy specifically referred to the collection, use or disclosure of personal information as a result of using an eTP service.
3.6           The OAIC recommended GP clinics amend their privacy policy so that:
·         if the My Health Record system is used, it informs patients that the GP clinic may collect, use and disclose their health information for the purposes of using the My Health Record system
·         if IHIs are collected, it informs patients that the GP clinic collects, holds, uses or discloses IHIs
·         if an eTP service is used, it informs patients that the GP clinic may collect, use, hold or disclose their health information for the purposes of using that eTP service.
----- End Extract.
The take-away for me in all this is if you plan to get involved in the myHR environment or e-Prescribing then it is important to have the relevant privacy policy in place for the patients of the practice. It’s a one off compliance issue but it is probably needed if the GP decides they want to go with the myHR to obtain the e-PIP incentives.
Overall I thought it was pretty impressive how compliant most practices seemed to be - recognising that these areas are almost certainly properly handled even if not formally documented.
Given there are lots of resources available for those who are not presently compliant it seems sensible to take advantage of these and get it all sorted.
More important, of course, is to have proper procedures and training in place to minimise risk of leaks and breaches.
David.

No comments: