Tuesday, May 03, 2016
Privacy Of Health Information Hits The Headlines Again. Some GPs May Not Be As Careful As They Should Be But Most Are.
This appeared a few days ago:
April 28, 20166:44pm
YOUR health information could be at risk with the nation’s privacy watchdog finding major holes in the way GP practices manage patient privacy.
“A recent assessment of GP practices by the Office of the Australian Information Commissioner (OAIC) suggests that many practices could use more practical support to improve or establish privacy policies,” Mr Pilgrim said.
The commission last year conducted an assessment of the privacy policies of 40 GP practices from across Australia.
Only two clinics advised patients how they could request a correction to their personal information and only one advised patients how they could request access to their personal information.
The holes in the privacy system take on greater importance as the government pushes ahead with plans to automatically issue every Australian with an electronic health record managed by their GP.
Privacy Foundation spokesman Bernard Robertson-Dunn says the Information Commissioner’s report is very concerning.
“GPs are the people who have access to and control the most private of information that applies to Australians,” he said.
“Doctors should be at the forefront of privacy concerns,” he said.
He says the tougher penalties the government applied to its new electronic MyHealth record should also apply to a GPs own patient records.
The release from the Privacy Commissioner that stimulated the article said the following:
Thursday, 28 April 2016
Acting Australian Information Commissioner, Timothy Pilgrim, has today welcomed a series of actions by Australia’s peak medical groups to improve privacy practices at Australia’s GP clinics.
“A recent assessment of GP practices by the Office of the Australian Information Commissioner (OAIC) suggests that many practices could use more practical support to improve or establish privacy policies,” said the Commissioner.
“The OAIC appreciates that many GP practices are small to medium sized businesses and so practical, industry-relevant support is an effective way to improve privacy outcomes for practices and patients.”
“So I welcome the fact that the Australian Medical Association (AMA), the Royal Australian College of General Practitioners (RACGP), the Australian College of Rural and Remote Medicine (ACRRM) and the Australian Association of Practice Management (AAPM) have come together with the OAIC to provide practical support to their members to deliver open and transparent privacy policies within their practices.”
The OAIC regulates Australia’s Privacy Act1988 and last year conducted an assessment of the privacy policies of 40 GP practices from across Australia. When the assessments revealed room for improvement, medical peak bodies were approached to help deliver training and practical solutions to assist GP practices.
Chair of the AMA Council of General Practice, Dr Brian Morton, said that “privacy is fundamental to the trusted relationship between a doctor and a patient and practices go to great lengths to protect this. The assessment report shows that some may need more guidance on how to develop transparent and robust privacy policies. The AMA is actively helping them with this.”
The Royal Australian College of General Practitioners President, Dr Frank R Jones, said the report was a timely reminder for general practices to review their privacy policies. “The RACGP provides useful resources to general practices to make adherence to the rules straightforward and our goal is to improve the practical help and support we already provide.”
ACRRM President Professor Lucie Walters said, “rural and remote doctors are keenly aware of the importance of privacy issues, especially given the circumstances of rural medical practice. ACRRM will be doing as much as possible to support its members to ensure that both the documentation and implementation of practice privacy policies are consistent with the requirements of the Privacy Act”.
Commissioner Pilgrim emphasised that a collaborative approach to create strong privacy governance in Australian businesses was always the OAIC’s preferred approach.
“The OAIC works constructively with businesses and the wider community to build an integrated approach to privacy compliance,” said the Commissioner.
“Thanks to the efforts of these peak bodies and the OAIC’s team, that preferred approach will lead to improved privacy management for Australian GPs and their patients.”
The report focused on assessing the privacy policies of 40 General Practice Clinics against Australian Privacy Principle (APP) 1 under the Privacy Act 1988. APP1 has a focus on open and transparent management of personal information.
To access the report, please visit https://www.oaic.gov.au/privacy-law/assessments/general-practice-clinics-app-1-privacy-policy-assessment.
Here is the link:
Most useful in the full report was the following:
3.1 The assessment also aimed to enhance the GP clinics’ understanding of privacy in the context of their obligations under the My Health Records Act and the HI Act.
3.2 Therefore, as part of the assessment the OAIC reviewed the privacy policies to ensure GP clinics adequately covered the use of the My Health Record system and their collection and use of IHIs. The assessment also looked at the use of electronic transfer of prescriptions (eTP) services.
3.3 31 of 36 GP clinics had signed a PCEHR Participation Agreement. Only one of these GP clinics specifically referred to the collection, use or disclosure of personal information by GPs through the use of the My Health Record system.
3.4 33 of 36 GP clinics stated that they held IHIs. 12 privacy policies specifically referred to the collection, holding, use or disclosure of IHIs.
· if the My Health Record system is used, it informs patients that the GP clinic may collect, use and disclose their health information for the purposes of using the My Health Record system
· if IHIs are collected, it informs patients that the GP clinic collects, holds, uses or discloses IHIs
· if an eTP service is used, it informs patients that the GP clinic may collect, use, hold or disclose their health information for the purposes of using that eTP service.
----- End Extract.
Overall I thought it was pretty impressive how compliant most practices seemed to be - recognising that these areas are almost certainly properly handled even if not formally documented.
Given there are lots of resources available for those who are not presently compliant it seems sensible to take advantage of these and get it all sorted.
More important, of course, is to have proper procedures and training in place to minimise risk of leaks and breaches.
Posted by Dr David More MB PhD FACHI at Tuesday, May 03, 2016