PRIVACY POLICY

HBO Medical Practice Privacy Policy

As at 3 December 2019 (This policy is improved regularly to be aligned with the OAIC legislation)

Introduction
It is our privilege to protect the privacy and confidentiality of our patients personal (health) information; and
seek to do so in accordance with all Australian Privacy Principles.

This privacy policy serves as a guideline for all staff members on how personal (health) information is
collected and used in the practice, and the circumstances in which we may disclose to third parties.

What is privacy and confidentiality?

Privacy is the patient’s rights that their personal (health) information is shared only between staff members
who need it to manage the patient. Confidentiality is the patient’s legal right for staff members not to
disclose personal (health) information acquired while fulfilling their routine activities.

Staff members will ensure that patients can discuss issues relating to their health, and that the GP can record
relevant personal health information, in a setting that provides visual privacy and protects against any
conversation being overheard by a third party.

Informing new patients of practice privacy policy

When new patients register with our practice, staff members must take reasonable steps to ensure new
patients understand and know about our privacy policy. The privacy policy will be attached to the patients
registration form; there will be leaflets at the receptionist desk and in waiting rooms; as well as having the
privacy policy posted on the walls throughout the practice.

All staff members will discuss the practice’s privacy policy with patients who are new to the practice if
requested by the patient.

Patient access to their personal health information

Under privacy legislation provisions all patients have the right to access their health information stored at the
practice. The treating staff member will provide an up to date and accurate summary of their health
information on request or whenever appropriate. The treating staff member will consider all requests made
by a patient for access to their medical record. In doing so, the staff member will need to consider the risk of
any physical or mental harm resulting from the disclosure of health information. If the staff member is
satisfied that the patient may safely obtain the record then he/she will either show the patient the record, or
arrange for provision of a photocopy, and explain the contents to the patient. Any information that is
provided by others (such as information provided by a referring medical practitioner or another medical
specialist) is part of the health record and can be accessed by the patient.

Alteration of patient records

Our patients have the right to access and correct personal information that we hold about them. Staff
members will take reasonable steps to alter personal (health) information where the information is not
accurate, up to date and is straightforward (eg. amending a phone number or address). Staff members may
ask every now and then to verify a patient’s information held by our practice is accurate.

With requests to alter or correct a patient’s record, the treating staff member will annotate the patient’s
record to indicate the nature of the request and whether the staff member agrees with it. For legal reasons,
the doctor will not alter or erase the original entry.

Access to personal health information by practice staff

New patient’s must be informed that the practice undertakes research, professional development and quality
assurance activities to improve the health care services and practice management. Patient’s must know that
their personal health information cannot be accessed in these ways without their express consent, or where
the research is directly related to the purpose for which it was collected and within reasonable expectations of
the patient.

A patient’s consent to access their personal health information is essential. Staff members must ensure that
patients understand what the proposed research involves, the ways in which their personal health information
will be used, and the risks and benefits of agreeing to participate.

When research projects are conducted in the practice under the approval of an institutional ethics committee,
staff will be made aware of the requirements to obtain consent specified in the research protocol and ensure
that consent is properly obtained.

Confidentiality agreements
In order to protect personal privacy, this practice has staff, including temporary or casual staff; sub-
contractors (e.g. software providers etc) and medical students sign a confidentiality agreement.

Disclosure to third parties

Staff members will ensure that personal health information is disclosed to third parties only where consent of
the patient has been obtained. Exceptions to this rule occur when the disclosure is necessary to manage a
serious and imminent threat to the patient’s health or welfare, or is required by law.

We must only disclose a patient’s personal (health) information for the purpose of their care and treatment, or
in ways they would reasonably expect we use it for their ongoing care and treatment (eg. blood test results to
your specialist).

Staff members must carefully consider what personal (health) information is relevant for its intended
purpose, and that no information is disclosed unnecessarily.

Requests for personal health information and medical records by other medical practices
Staff members will seek permission from our patients allowing their personal (health) information and
medical records to be forwarded as requested by other medical practices. Keeping our patients personal
health information and medical records is essential; for us to provide high quality health care at our practice,
and for other medical practices to provide the same quality of care.

The information and records requested by other medical practices will be forwarded via fax or email. All
copies will be accompanied by a message that the information contained is confidential and should be
destroyed by unintended recipients.

Security
All staff members and contractors will protect personal health information against unauthorised access,
modification or disclosure and misuse and loss while it is being stored or actively used for continued
management of our patient’s health care.

Staff will ensure that patients, visitors and other health care providers to the practice do not have
unauthorised access to the medical record storage area or computers. Staff will ensure that records,
pathology test results, and any other papers or electronic devices containing personal health information are
not left where they may be accessed by unauthorised persons.

Non clinical staff will limit their access to personal health information to the minimum necessary for the
performance of their duties. Fax, e-mail and telephone messages will be treated with security equal to that
applying to medical records. Computer screens will be positioned to prevent unauthorised viewing of personal
health information.
Through the use of, for example, password-protected screen-savers, staff will ensure that computers left
unattended cannot be accessed by unauthorised persons. Medical practitioners and staff will ensure that
personal health information held in the practice is secured against loss or alteration of data. This includes
adherence to national encryption protocols.

Manual medical records and other papers containing personal health information will be filed promptly after
each patient contact. Staff will ensure that manual and electronic records, computers, other electronic
devices and filing areas are secured at the end of each day and that the building is locked when leaving. The
data on the computer system will be backed up daily and a duplicate backup tape/cartridge given to the
nominated staff member for storage off site. Backups should be routinely tested to ensure daily duplication
processes are valid and retrievable.

Patient consent
A patient’s consent is the guiding principle for all staff members in obtaining, using and disclosing their
personal health information. We must respect their right to decide how their information is used and provide
sufficient information to enable them to exercise that right fully.

Consent by patients can be either written or verbal; where sensitive information is involved, GPs should make
a notation in the medical record confirming the patient’s consent. Consent requirements will often be met as
staff members are open with how a patient’s personal health information is used.

Complaints about privacy related matters

If any patients wish to make a complaint about their privacy, please refer them to the Practice Manager,
giving the patient the Practice Manager’s contact details (name, phone number and email address). All staff
members are to remind the patient to provide sufficient details and any supporting information regarding
their complaint. The patient will be notified in writing of the outcome within 30 days from the date the
original written complaint was received.

If the patient is unsatisfied with the response or outcome, they can contact us to discuss their concerns
further, or lodge a complaint with the Australian Information Commissioner at www.oaic.gov.au or by calling
1300 363 992.

Retention of medical records and staff training

It is the policy of the practice that individual patient medical records be retained until the patient has reached
the age of 25 or for a minimum of 7 years from the time of last contact, whichever is the longer.

Practice training and induction procedures for medical practitioners and staff should ensure that medical
practitioners and staff demonstrate understanding of this policy. Ongoing education and training processes in
the practice will ensure that skills and competence in the implementation of the privacy policy and related
issues are maintained and updated.